Moonlock Lab

Under the hood of the Atomic macOS stealer (AMOS)

Victor Kubashok

Aug 16, 20233 min read

Under the hood of the Atomic macOS stealer (AMOS): Header image

In the past year, macOS users have seen increased adware, potentially unwanted applications (PUA), and malware, including stealers. In the case of stealer malware, the goal is to extract personal data from victims and send it to remote command and control (C2) servers. That includes login information, passwords, cookies, bank data, browser history — anything that may be of value to hackers.

In this analysis report, we take a look at the new Atomic macOS stealer, also known as AMOS, discovered in April 2023 by Cyble Research.  

How the Atomic macOS stealer spreads and functions

Many stealers for macOS are developed using Python, Go, or Swift programming languages, all of which have similar functionalities. In this case, AMOS was developed using Swift, and the executable can run on different CPUs, including Intel and Apple Silicon.

The AMOS stealer spreads via a dmg image (Launcher.dmg), which contains instructions on how to run the launcher.

A screenshot of the AMOS launcher screen

The AArch64 architecture (M1/M2 Apple Silicon processors) was used for analysis. The binary file is signed with an ad-hoc signature.

A screenshot of the AMOS binary file

Fortunately, dynamic and code-level analysis can help experts understand how this malware works.

After starting the launcher, the user will see a window that simulates a system process that requires a password to access System settings. Entering your password here will allow the malware to access your keychain, where login data, bank cards, and other pieces of encrypted information are stored.

A screenshot of AMOS trying to access Keychain

The stealer then checks your software and hardware using the system profiler, as seen in the image below. This trick is typically employed to prevent malware debugging and analysis in a virtual environment.

A screenshot of the AMOS stealer checking system software and hardware

To gain access to user data, the malware opens the Desktop and Documents directories, where it can collect your files. If the malware has gotten this far, data about your system is now saved in a file called Sysinfo.txt. It’s this file that will then be transferred to a remote C2 server, where hackers are free to do with it what they wish.

A screenshot of AMOS collecting user files in directories

Vulnerable browsers and extensions

In addition to the information listed above, the AMOS stealer can also extract data related to crypto wallets from the following browsers:

  • Brave
  • Microsoft Edge
  • Vivaldi
  • Chrome
  • Opera
  • OpraGX
  • Firefox

Most of the browsers on the list above are Chromium-based browsers due to the fact that the identical code structure, including browser extensions, makes it easy for the malware to access data.

During the analysis, it was found that the stealer searches and collects system information from desktop crypto wallets such as Exodus, Electrum, Coinomi, and Wasabi, as well as the browser extensions for crypto wallets (listed below). The AMOS is searching for confidential data that may be contained within them, including autofill fields, login data, cookies, and credit card numbers.

Extension IDExtension name
cjelfplplebdjjenllpjcblmjkfcffneJaxx Liberty
bcopgchhojmggmffilplmbdicgaihlkpHycon Lite Client
fnnegphlobjdpkhecapkijjdkgcjhkibHarmony Wallet
imloifkgjagghnncjkhggdhalmcnfklkTrezor Password Manager
egjidjbpglichdcondbcbdnbeeppgdphTrust Wallet

After gathering information, the AMOS copies the stolen data using the system macOS command ditto. The data is then packed into a zip archive for transfer.

The images below show the functions performed by the stealer to extract user data. The commands and their flags for copying and packing data are also visible. The sendlog function sends data in base64 format to the server, including a unique identifier and information about the user.

A screenshot of the stealer extracting user data
A screenshot of AMOS extracting and sending user data
A screenshot of the AMOS stealer extracting and sending user data

From here, the collected and packaged data is transmitted to a remote C2 server ( by POST request through a hard-coded IP value (

A screenshot of collected and packaged data being transmitted to a remote C2 server

A VirusTotal Graph tool shows that the domain is associated with various malware files containing macho and dmg files for macOS and other malicious URLs used by attackers to steal data and collect information from compromised macOS machines.

The AMOS-associated domain as seen on Virus Total



  • T1064 Scripting confidence
  • T1059.002 AppleScript confidence

Defense Evasion

  • T1064 Scripting confidence
  • T1036.001 Invalid Code Signature confidence
  • T1553.002 Code Signing confidence
  • T1564.001 Hidden Files and Directories confidence

Credential Access

  • T1056.002 GUI Input Capture confidence
  • T1555.003 Credentials from Web Browsers confidence


  • T1518.001 Security Software Discovery confidence
  • T1087 Account Discovery confidence
  • T1082 System Information Discovery confidence


  • T1056.002 GUI Input Capture confidence

Command and Control

  • T1573 Encrypted Channel confidence
  • T1095 Non-Application Layer Protocol confidence
  • T1071 Application Layer Protocol confidence

Reference: MITRE ATT&CK Matrix

Indicators of Compromise (IoCs)

Victor Kubashok Victor Kubashok
Viсtor is a cybersecurity expert with over a decade of experience as a malware analyst and ethical hacker. He has contributed to investigating malware used in major cyberattacks on Ukraine.