Back Issues This Week → Calendar → Current Issue → Popular →

All issuesVolume 330, Issue 1IT Vendor NewsTrend Micro

An MDR Analysis Of The Amos Stealer Campaign Targeting macOS Via 'Cracked' Apps

Trend Micro, Thursday, September 4th, 2025

Trend Research analyzed a campaign distributing Atomic macOS Stealer (AMOS), a malware family targeting macOS users. Attackers disguise the malware as 'cracked' versions of legitimate apps, luring users into installation.

Key Takeaways:

Trend Research analyzed a campaign distributing Atomic macOS Stealer (AMOS), a malware family targeting macOS users. Attackers disguise the malware as 'cracked' versions of legitimate apps, luring users into installation.

In another delivery method, users are tricked into pasting commands into the macOS Terminal. This can bypass Gatekeeper, a built-in protection that normally blocks unsigned or unverified apps from running. AMOS also relies on rotating domains to evade static, URL-based detections and to delay takedowns.

AMOS is designed for broad data theft, capable of stealing credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders. For business, this creates downstream risks, such as credential stuffing, financial theft, or further intrusions into enterprise systems.

AMOS shows that macOS is no longer a peripheral target. As macOS devices gain ground in enterprise settings, they have become a more attractive and lucrative focus for attackers.

Educate users about the risks of cracked software, fake installers, and copy-paste Terminal prompts. Adopt a defense-in-depth approach that combines user training, endpoint visibility, and network monitoring. For more detailed guidance for IT and security teams, see the best practices outlined below.

more →  ·  More from Trend Micro →