Beyond Cracked Apps: New macOS Malware Is Using the Terminal to Steal Data

The Trend Micro Research team has uncovered a new campaign distributing Atomic macOS Stealer (AMOS), a malware family designed to exfiltrate sensitive data from Apple devices. While macOS has historically faced fewer malware threats than Windows, its growing adoption in enterprises has made it an increasingly lucrative target.

As Trend Micro explains, “AMOS shows that macOS is no longer a peripheral target. As macOS devices gain ground in enterprise settings, they have become a more attractive and lucrative focus for attackers.”

Attackers are disguising AMOS as “cracked” versions of legitimate software hosted on malicious sites. Users searching for pirated tools, such as CleanMyMac, are redirected to AMOS landing pages. Clicking “Download for MacOS” delivers a trojanized .dmg installer, while alternative instructions trick victims into pasting malicious commands into the Terminal.

Trend Micro notes, “In another delivery method, users are tricked into pasting commands into the macOS Terminal. This can bypass Gatekeeper, a built-in protection that normally blocks unsigned or unverified apps from running.”

This copy-paste technique resembles fake CAPTCHA prompts, conditioning users to trust and execute arbitrary commands.

Once executed, AMOS deploys a multi-stage infection chain:

1. Installer script downloads an AppleScript (update) into /tmp.
2. A LaunchDaemon (com.finder.helper.plist) ensures persistence by running a hidden .agent script in an infinite loop.
3. The malware collects system details and user credentials, before compressing them into a ZIP archive (/tmp/out.zip).
4. Data is exfiltrated via curl POST requests to attacker-controlled domains, such as sivvino[.]com and hardcoded IP addresses.

AMOS is equipped with sandbox evasion checks—for example, it inspects memory and hardware identifiers to detect VMware, QEMU, or unknown chips before executing payloads.

AMOS is capable of broad data theft, targeting both personal and enterprise-sensitive information:

• Browser data (cookies, saved logins, autofill data).
• Cryptocurrency wallets (Binance, TonKeeper, desktop wallets).
• Keychain database and macOS passwords.
• Apple Notes and Safari cookies.
• Telegram chats and OpenVPN profiles.
• Files with extensions such as .pdf, .docx, .json, .db, .wallet, and .key.

Trend Micro warns, “AMOS is designed for broad data theft, capable of stealing credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders.”

This creates serious risks for organizations, enabling credential stuffing, financial theft, and further intrusions into enterprise networks.

Apple’s Gatekeeper technology successfully blocked many .dmg-based AMOS attempts in Trend Micro’s testing. On macOS Sequoia 15.6, attempts to run the fake installer triggered warnings such as “Apple could not verify Installer is free of malware”, effectively halting execution.

However, the Terminal-based method proved more effective, bypassing Gatekeeper and enabling successful infections.

The analysis concludes, “Educate users about the risks of cracked software, fake installers, and copy-paste Terminal prompts. Adopt a defense-in-depth approach that combines user training, endpoint visibility, and network monitoring.”

Related Posts:

• Kubernetes Policy Enforcement at Risk: OPA Gatekeeper Bypass Exposes Security Flaws
• CVE-2024-2787: Apple Archive Flaw Enables Arbitrary File Write and Gatekeeper Bypass, PoC Releases
• AMOS Stealer Reloaded: Inside a Fully Undetected macOS Data Heist
• From Stealer to Spy: AMOS Malware Evolves into Full-Fledged Backdoor Threat for macOS
• Clickfix Meets macOS: AMOS Variant Targets Spectrum Users in Credential Harvesting Campaign