From Stealer to Spy: AMOS Malware Evolves into Full-Fledged Backdoor Threat for macOS

In a disturbing evolution of macOS malware, Moonlock Lab has discovered that Atomic macOS Stealer (AMOS)—already notorious for pilfering cryptocurrency data—has now a dangerous feature. A recent update embeds a persistent backdoor, turning what was once a hit-and-run data thief into a long-term intruder capable of remote command execution, system surveillance, and re-infection.

Originally known for its data exfiltration from browser extensions and cold wallets, AMOS now goes beyond theft. The newly embedded backdoor grants ongoing user-level access, allowing attackers to run arbitrary tasks from remote servers and persist even after reboots.

“It now opens the door to full system compromise,” the Moonlock team warns.

This strategic shift is believed to mirror tactics previously only seen in state-sponsored attacks, particularly from North Korean threat actors. The malware’s infection chains and system persistence methods echo those used in DPRK’s cryptocurrency-stealing operations—albeit now adapted and deployed globally by Russia-affiliated threat actors.

AMOS campaigns have already impacted users in over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected. Its distribution now spans:

• Fake or cracked software downloads
• Spear phishing job scams, targeting high-value crypto holders and freelancers

Once inside, victims are socially engineered to enter system passwords under the guise of enabling screen sharing or installing job-related software. That’s when the malware begins to harvest sensitive data—and lay the groundwork for persistent access.

AMOS now ships with multiple components:

• A .helper binary, downloaded and executed as the main backdoor
• A .agent script, acting as a looped wrapper to maintain execution
• A LaunchDaemon plist, installed in the system directory to ensure persistence

The malware initializes variables like login, buildid, and botUrl, exfiltrates data via HTTP POST requests to C2 IPs like 45.94.47.145 and 45.94.47.147, and regularly checks in with its C2 for new commands.

“The overall communication… has changed drastically from one-shot data draining to more complex assignments of unique identifiers to each infected host,” Moonlock explains.

The new command-and-control infrastructure supports remote execution of commands such as:

• execute (shell command)
• pong (heartbeat)
• repeat (recheck)
• delete (clean up and self-delete)

AMOS uses macOS-native tools like AppleScript and osascript, masking its activities behind trusted system processes. The malware performs anti-virtualization checks to evade sandbox detection and executes commands with elevated privileges by harvesting the user’s password early in the attack chain.

Moonlock Lab suggests this is just the beginning. While current versions of AMOS reuse some logic, the embedded backdoor introduces a modular platform that can support keyloggers, remote surveillance, and more.

“The combination of a plug-and-play stealer with backdoor functionality… turns a one-time breach into a long-term compromise,” the report concludes.

With AMOS shifting from a stealer to a persistent threat actor toolkit, Mac users are urged to:

• Avoid downloading cracked or suspicious software
• Be cautious of unsolicited job offers or interview requests
• Use reputable anti-malware tools with real-time scanning
• Regularly audit LaunchDaemons and unknown background processes

Related Posts:

• New macOS Crypto Stealer Targets Ledger Live Users, Mimics AMOS with Stealthy Tactics
• Atomic Stealer Malware Returns in New Disguises, Targets Mac Users’ Sensitive Data
• Clickfix Meets macOS: AMOS Variant Targets Spectrum Users in Credential Harvesting Campaign
• AMOS Stealer Reloaded: Inside a Fully Undetected macOS Data Heist
• The Rise of Mac Malware: 2024 Threat Report Reveals Alarming Trends