An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps www.trendmicro.com/en_us/res…

Trend™ Research analyzed a campaign distributing Atomic macOS Stealer (AMOS), a malware family targeting macOS users.

• Attackers disguise the malware as “cracked” versions of legitimate apps, luring users into installation.
• In another delivery method, users are tricked into pasting commands into the macOS Terminal. This can bypass Gatekeeper, a built-in protection that normally blocks unsigned or unverified apps from running. AMOS also relies on rotating domains to evade static, URL-based detections and to delay takedowns.
• AMOS is designed for broad data theft, capable of stealing credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders. For business, this creates downstream risks, such as credential stuffing, financial theft, or further intrusions into enterprise systems.
• AMOS shows that macOS is no longer a peripheral target. As macOS devices gain ground in enterprise settings, they have become a more attractive and lucrative focus for attackers.
• Educate users about the risks of cracked software, fake installers, and copy-paste Terminal prompts. Adopt a defense-in-depth approach that combines user training, endpoint visibility, and network monitoring. For more detailed guidance for IT and security teams, see the best practices outlined below.