Ddos 
macOS users—particularly cryptocurrency holders—are being warned about a new information stealer making the rounds in early 2025. First flagged on Twitter/X by researcher @mentalpositive and analyzed by K7 Labs, the stealer appears to be a potential variant of the infamous AMOS (Atomic macOS Stealer), and it specifically targets Ledger Live users and other crypto wallet owners.
“Early analyses suggest it might be a new variant of AMOS—the notorious Atomic macOS Stealer from 2023,” writes K7 Labs. “This comparison raises critical questions: Is this malware merely a rebranded version of AMOS, or does it introduce novel tactics and techniques?”
AMOS made headlines in 2023 by bringing malware-as-a-service (MaaS) to macOS. It could extract browser passwords, Keychain credentials, system data, and crypto wallets—all wrapped in an easy-to-use web panel.
The new stealer by “MentalPositive” mimics many of these same techniques but adds its own flavor:
- Uses Unix demonization techniques like _fork, _setsid, and kill() to run silently in the background and evade debugging and sandboxes.
- Prompts users for admin credentials by mimicking legitimate macOS prompts, then validates them locally using keychain APIs.
- Extracts data from login.keychain-db, /password directories, and common locations storing system authentication data.
- Targets a wider range of cryptocurrency wallets than AMOS, including browser extensions and other wallet-specific data.
“With administrative access obtained, it proceeds to target the login.keychain-db file and the /password directory… to extract saved passwords and other sensitive authentication data,” the report states.
Once executed, the malware follows a meticulous process:
- Detaches from the terminal to avoid user interruption.
- Collects system and credential data, consolidating it into a file named information.txt, where it leaves a signature: “mac.c macOS stealer by mentalpositive”
- Harvests browser data, saved logins, and cryptocurrency wallet information.
- Compresses all stolen content into log.zip for exfiltration.
- Transmits data over HTTP, tagging each build with a unique ID (e.g., JENYA, SHELLS, or BARNI), likely to track infection campaigns.
- Displays a fake update window to distract users while exfiltration occurs in the background.
“At the final stage of execution, the malware presents a fake system-like window displaying a specific message string… likely used to deceive the user or cover up its malicious operations.”
Comparing AMOS Stealer and the New macOS Stealer by MentalPositive
| Feature | AMOS | MentalPositive |
|---|---|---|
| Obfuscation | Heavy | Minimal |
| Language | C++ & Go | Objective-C & Swift |
| Credential Handling | Sends credentials immediately | Verifies locally |
| Wallet Targets | Standard list | Expanded scope |
| Anti-analysis | Advanced | Basic (kill terminal, daemonize) |
| Campaign Mgmt | Shared infra | Build ID-based |
“Overall, the new stealer has the DNA of AMOS in its functions but is not as complex… it may be in developmental stages or its early phase—potentially evolving.”
While not as advanced as its predecessor, the MentalPositive stealer is dangerous in its simplicity and ease of deployment. It doesn’t require extensive obfuscation or evasion to be effective, and its ability to verify credentials locally before data theft helps it stay stealthy on macOS.
Given its likely connection to AMOS and focus on crypto wallets, it’s crucial for users—especially those using Ledger Live, MetaMask, or similar apps on macOS—to remain alert.
Related Posts:
- AMOS Stealer Reloaded: Inside a Fully Undetected macOS Data Heist
- Atomic Stealer Malware Returns in New Disguises, Targets Mac Users’ Sensitive Data
- Clickfix Meets macOS: AMOS Variant Targets Spectrum Users in Credential Harvesting Campaign
- New Mac Stealer “AMOS” Poses as Loom Screen Recorder, Targets Crypto Wallets
- 10,000 WordPress Websites Compromised to Deliver macOS and Windows Malware
Donate