Cybercriminals launched a new Atomic macOS Stealer (AMOS) campaign that targets macOS users by disguising malware as "cracked" versions of legitimate apps, allowing attackers to overcome recent Apple security improvements.
Trend Micro researchers discovered a campaign where threat actors distribute the Atomic macOS Stealer through social engineering techniques. Attackers lure victims into downloading malicious .dmg installers that masquerade as cracked apps or trick users into copying and pasting commands into the macOS terminal. The campaign specifically targets users seeking cracked software from the website haxmac[.]cc, which hosts several cracked software programs for macOS. Researchers observed users searching for and downloading "CleanMyMac," a legitimate program available from the Mac App Store. Once installed, AMOS establishes persistence on the victim's system and steals sensitive data including credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders.
Apple recently enhanced Gatekeeper protections in macOS Sequoia to block traditional .dmg-based infections. However, threat actors adapted their tactics to use terminal-based installation methods that prove more effective in bypassing these security controls.
The attack chain begins when users visit haxmac[.]cc to download cracked software. After downloading, victims get redirected to AMOS' landing page, which performs OS fingerprinting to determine whether visitors use Windows or MacOS before redirecting them to corresponding payload pages. The threat actors use frequent domain and URL rotation for download commands to evade static URL-based detections and takedowns. The malicious installation script downloads an AppleScript file called "update" to the temp directory. A script file named 'com.finder.helper.plist' configures a MacOS LaunchDaemon to continuously run the agent script in an infinite loop, detecting logged-in users and executing the hidden binary. The binary establishes persistence by retrieving the username of currently logged-in users, excluding root.
Trend Micro researchers stated the campaign represents "significant tactical adaptation." They noted, "While macOS Sequoia's enhanced Gatekeeper protections successfully blocked traditional .dmg-based infections, threat actors quickly pivoted to terminal-based installation methods that proved more effective in bypassing security controls." The researchers warned that "downloading the program from an untrusted source, as seen in these cases, puts the machine and the organization at risk because these cracked programs might be bundled with malware or trojanized by threat actors." They added, "As a result, the domains and URLs are expected to change over time."
This campaign demonstrates how quickly cybercriminals adapt to new security measures, making Apple's recent macOS Sequoia security enhancements less effective. The stolen information creates downstream risks for businesses beyond individual victims, as attackers can use compromised credentials for credential stuffing attacks, financial theft, or further intrusions into enterprise systems. Healthcare organizations using macOS devices face risks since stolen credentials could lead to unauthorized access to protected health information and HIPAA violations.
Organizations cannot rely solely on built-in operating system protections against evolving stealer campaigns. Deploy defense-in-depth strategies that include employee education about the risks of downloading software from untrusted sources and implement additional security layers beyond Apple's built-in protections.
A cracked app is an unauthorized, modified version of legitimate software that often bypasses licensing or payment requirements.
Users should verify apps through official sources like the Mac App Store and avoid third-party download sites.
No, AMOS specifically targets macOS devices, not iOS devices.
Unusual system behavior, persistent background processes, and unauthorized access to accounts can be red flags.
AMOS is notable for its focus on credential and wallet theft, unlike some strains that emphasize ransomware or adware.