top of page

Cybersecurity Threat: Atomic macOS Malware Targets Keychain Passwords and Cryptocurrency Wallets

Cybersecurity researchers have identified a new information-stealing malware targeting Apple macOS users. Dubbed "Atomic macOS Stealer" (AMOS), the malware is being advertised on Telegram for a subscription fee of $1,000 per month, joining the ranks of similar malware such as MacStealer.

According to a technical report by Cyble researchers, AMOS is capable of extracting a wide range of information from infected macOS devices. This includes Keychain passwords, comprehensive system data, files from the desktop and documents folder, and even the macOS password itself. The malware also targets web browsers and cryptocurrency wallets, including Atomic, Binance, Coinomi, Electrum, and Exodus. Buyers of the malware receive a web panel for managing victims' data.

AMOS is distributed as an unsigned disk image file named "Setup.dmg." When executed, the malware prompts victims to enter their system password on a fake screen, allowing it to escalate privileges and initiate malicious activities. This tactic is similar to that employed by MacStealer.

The exact method of delivering AMOS to victims remains unclear, but researchers speculate that social engineering techniques may be used to trick users into downloading and running the malware, disguised as legitimate software.

The malware was submitted to VirusTotal on April 24, 2023, under the name "Notion-7.0.6.dmg," indicating that it may be masquerading as the well-known note-taking app. Additional samples discovered by MalwareHunterTeam include "Photoshop CC 2023.dmg" and "Tor Browser.dmg."

Cyble researchers warn that AMOS could be installed by exploiting system vulnerabilities or through phishing websites. Once installed, the malware harvests system metadata, files, iCloud Keychain data, web browser information (passwords, autofill, cookies, credit card data), and cryptocurrency wallet extensions. The collected data is compressed into a ZIP archive and transmitted to a remote server. The ZIP file is then forwarded to designated Telegram channels.


The emergence of AMOS underscores the growing trend of macOS becoming a target for cybercriminals deploying information-stealing malware. To mitigate the risk, users are advised to download and install software only from trusted sources, enable two-factor authentication, review app permissions, and avoid clicking on suspicious links in emails or text messages.

3 views0 comments
bottom of page