{ "id": "74ff72ed-a3e2-4f2c-a86b-fe7175a174c2", "created_at": "2026-04-06T00:15:21.323814Z", "updated_at": "2026-04-10T03:37:08.650253Z", "deleted_at": null, "sha1_hash": "080f506687809762a94ae5689a289bc046f8fe23", "title": "Reversing Atomic macOS Stealer: Binaries, Backdoors \u0026 Browser Theft", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 412341, "plain_text": "Reversing Atomic macOS Stealer: Binaries, Backdoors \u0026 Browser\r\nTheft\r\nBy James\r\nPublished: 2024-06-02 · Archived: 2026-04-05 14:26:38 UTC\r\nAtomic Stealer is a macOS-based infostealer that operates as a Malware-As-A-Service (MaaS). You’ve likely\r\nheard it mentioned before – it’s notorious for being one of the few active macOS infostealer malware families with\r\nfull-fledged stealing capabilities that allow it to capture things like administrator and keychain passwords,\r\nsensitive system information, and credentials and browser information from Chrome, Firefox, and other\r\napplications on a victim’s computer.\r\nResearchers first discovered Atomic Stealer in April 2023, and newer versions of the infostealer with expanded\r\ncapabilities have since been released. SpyCloud has actively recaptured and ingested Atomic Stealer infection logs\r\nsince October 2023. \r\nOur team at SpyCloud Labs reverse-engineered Atomic macOS Stealer to get a better understanding of its current\r\ncapabilities and the threat it poses to the security community. This blog details our analysis of Atomic Stealer –\r\nincluding what to be on the lookout for.\r\nAtomic Stealer exfiltrates data from several sources, including:\r\nCustomers of Atomic Stealer pay a hefty monthly fee of between $500 – $1000 USD for access to the Atomic\r\nStealer panel, which in return provides log export as well as builds and more.\r\nhttps://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nPage 1 of 11\n\nhttps://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nPage 2 of 11\n\nImage 1: Screenshot of an advertisement for Atomic Stealer on Telegram.\r\nSince Atomic Stealer is a MaaS operating model, there are many threat actors who build and deploy Atomic in a\r\nvariety of environments – which means there are several active infection vectors, or entry points, for Atomic\r\nStealer.  A vector that our SpyCloud Labs analysts see often is the use of pay-per-install (PPI) services like\r\nSpaxMedia or InstallBank. These services, part of a broader range of cybercrime enablement services that\r\nfacilitate the spread of malware and related criminal activity, allow customers to insert “download buttons” onto\r\ntheir websites and monetize them, all while broadly spreading the malware, in this case, Atomic, as observed in\r\nour previous reporting.\r\nThe Atomic Stealer binaries, normally named something related to “Crack”, like “CrackInstall”, “CrackSoftware”,\r\netc, arrive as .dmg files and require the victim to run and install the malicious application. \r\nIn recent versions of Atomic Stealer, it does not have any form of persistence. Instead, Atomic creates an\r\ninstall/data exfiltration location at a randomly generated numerical-based directory in the victim’s\r\n/Users/\u003cusername\u003e folder, in which it stores all of the data it steals. This data is zipped up and sent to the\r\nCommand \u0026 Control (C2) server before being deleted from the system. \r\nOsascript usage\r\nThroughout the installation and theft routines of Atomic Stealer, it leverages macOS shell scripts, launched with\r\nthe osascript utility. These shell scripts normally allow the user to automate all kinds of tasks on macOS, but in\r\nthis case allow Atomic Stealer to steal passwords and files, as well as carry out the vast majority of its core\r\nfunctionality. For example, as observed in Image 2, Atomic Stealer attempts to change the visibility of the terminal\r\napplication during installation, making use of osascript to accomplish this action.\r\nhttps://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nPage 3 of 11\n\nImage 2: Atomic Stealer uses osascript to change the visibility of the terminal application. \r\nDefenders should be on the lookout for unexpected osascript usage, as Atomic Stealer’s “FileGrabber” is\r\nentirely osascript based, and sends the commands line by line. \r\nAs observed in Image 3, Atomic Stealer also throws up a fake error window at the end of its process run-through,\r\npossibly to trick the victim into believing whatever software they were attempting to install failed to install.\r\nImage 3: The fake error window thrown up by Atomic at the end of its run-through.\r\nAdministrator password theft\r\nDuring the run-through of the malware, Atomic Stealer employs a basic auth check which checks to see if the\r\nmalware is running in sudo using the Directory Service Command Line utility, or “DSCL”. This utility helps a\r\nMac computer bind to a domain for Active Directory work. However, Atomic Stealer uses it as a basic\r\nauthentication password verification tool with the command:\r\ndscl /Local/Default -authonly \u003cusername\u003e \u003cpassword\u003e\r\n \r\nWhen no password or an incorrect password is supplied to this command, the DSCL utility returns:\r\nAuthentication for node /Local/Default failed. (-14090, eDSAuthFailed)\r\n\u003cdscl_cmd\u003e DS Error: -14090 (eDSAuthFailed)\r\n This lets Atomic Stealer know that it does not currently have the administrator password and that it needs to\r\nattempt to trick the user into entering it into a pop-up that it creates using osascript, as observed in Image 4.\r\nImage 4: The fake password popup window. The stolen password is saved to the exfil directory as a file titled\r\n“password-entered.”\r\nKeychain theft\r\nOnce Atomic Stealer has obtained the administrator password, it immediately launches into the theft of keychain\r\ndata by copying the victim’s entire login.keychain-db into the exfil directory. This is packaged up and exfiltrated\r\nto be parsed out by the Atomic Stealer panel for Atomic Stealer clients.\r\nSystem info\r\nAtomic Stealer also leverages several macOS utilities in order to profile a victim’s system.  During the course of\r\nAtomic Stealer’s “System Info” function, it runs the following commands:\r\nsw_vers\r\nsystem_profiler SPHardwareDataType\r\nsystem_profiler SPDisplaysDataType\r\nhttps://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nPage 4 of 11\n\nThese commands pull internal hardware/software information about the victim’s device such as Model Name, OS\r\nLoader Version, Chipset Model, and more. Additionally, it obtains a list of installed software on the system, which\r\nit then uses to control additional functionality later, such as deciding to launch the Ledger Live backdoor, which\r\nwe detail further in this blog.\r\nAll of this information is stored in a file called SysInfo.txt in the exfil directory. Notably, SpyCloud Labs has\r\nobserved Atomic Stealer log files indicating the malware was compiled for x86 and ARM architecture, which\r\nsuggests it can steal data from systems running M1 – M3 chips, as well as older macOS chips.\r\nAtomic Stealer steals credentials and browser info from various applications/browsers on the victim’s machine.\r\nCrypto wallets\r\nAtomic Stealer targets the following crypto wallets to steal data from them:\r\nExodus\r\nElectrum\r\nCoinomi\r\nGuarda\r\nWasabi\r\nAtomic\r\nLedger Live\r\nBrowsers\r\nAdditionally, Atomic Stealer targets the following Chromium-based browsers, as well as Mozilla Firefox, in order\r\nto steal browser information from the victim:\r\nChrome\r\nChromeCanary\r\nArc\r\nBrave\r\nEdge\r\nVivaldi\r\nYandex\r\nOpera\r\nOperaGX\r\nBrowser extensions\r\nAtomic Stealer also targets the following Chrome browser extensions to steal data from them:\r\nArgentX\r\nhttps://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nPage 5 of 11\n\nAuroWallet\r\nAurox\r\nBackpack\r\nBinance Chain Wallet\r\nBitFinity\r\nBitget\r\nBlade\r\nBlockWallet\r\nBraavos\r\nByone\r\nCarax\r\nCardWallet\r\nClover Wallet\r\nCoin98\r\nCoinbase Wallet\r\nCoinwallet\r\nCryptoAirdrop\r\nCyanoWallet\r\nDAppPlay\r\nDPal\r\nEchooo\r\nEnkrypt\r\nEQUAL\r\nEternl\r\nEVER\r\nExodusWeb3\r\nFewcha\r\nFinnie\r\nFlint\r\nFreaksAxie Wallet\r\nFrontier\r\nGate\r\nGero\r\nGuarda\r\nHalo\r\nHarmony\r\nHAVAH\r\nHycon\r\nICONex\r\nIndexx\r\niWallet\r\nJaxx Liberty\r\nhttps://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nPage 6 of 11\n\nKardiaChain\r\nKeplr\r\nKHC\r\nLace\r\nLeafWallet\r\nLiquality Wallet\r\nMANTA\r\nMartianWallet\r\nMath Wallet\r\nMetaMask\r\nMetamask2\r\nMetamask3\r\nMEW CX\r\nMorphis\r\nNaboxWallet\r\nNami\r\nNautilus\r\nNeoLine\r\nNifty\r\nNightly\r\nNuFi\r\nOasis\r\nOKX\r\nONTO\r\nOxygen\r\nPetra\r\nPhantom\r\nPolkadotJS\r\nPolymesh Wallet\r\nQuantum\r\nRabby\r\nRainbow\r\nRonin Wallet\r\nSafePal\r\nSender\r\nSenSui\r\nShadow\r\nSlope\r\nSolflare\r\nStarcoin\r\nSubWallet\r\nSui\r\nhttps://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nPage 7 of 11\n\nSuiet\r\nSwash\r\nTaho\r\nTalisman\r\nTemple\r\nTerraStation\r\nTezBox\r\nTokenPocket\r\nTon1\r\nTonkeeper\r\nTrezor\r\nTronLink\r\nTronWallet\r\nTrustWallet\r\nTyphon\r\nUniSat\r\nWalless\r\nWombat\r\nXDCPay\r\nXDefiWallet\r\nXVerse\r\nYeti\r\nYoroi\r\nZerion\r\nZilPay\r\nFor applications that aren’t crypto wallets or browsers, Atomic Stealer targets Telegram in order to steal Telegram\r\naccount data from victims. The stolen data is all transferred to Atomic’s exfil directory, to be packaged up and\r\nexfiltrated to the C2.\r\nFileGrabber theft\r\nEntirely macOS script-based, Atomic Stealer’s FileGrabber looks for and steals files that are likely to contain\r\ncredentials – specifically, it targets files stored in either Desktop or Documents, that are smaller than 51,200 bytes,\r\nand have the following file extension:\r\nTXT\r\nDOCX\r\nRTF\r\nDOC\r\nWALLET\r\nKEYS\r\nKEY\r\nhttps://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nPage 8 of 11\n\nAdditionally, Atomic’s FileGrabber attempts to steal Safari cookies, as well as notes stored in Apple’s Notes app.\r\nWhen successfully stolen, these are all stored in Atomic’s exfil directory, under the “FileGrabber” folder, as\r\nobserved in Image 5. \r\nImage 5: The exfil directory for Atomic Stealer with the FileGrabber folder.\r\nIn newer versions of Atomic Stealer, the stealer also has the ability to download and install a malicious version of\r\nthe crypto wallet, Ledger Live. Essentially a malware infection, with a malware infection.\r\nThis behavior is only triggered by Atomic when it detects that the victim has Ledger Live in their software list. If\r\nAtomic detects Ledger Live in a software list, it attempts to download the malicious Ledger application from a\r\nhardcoded IP, using Curl, as observed in Image 6.\r\nhttps://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nPage 9 of 11\n\nImage 6: The Ledger Live download string, triggered by Curl.\r\nThis application is stored in /tmp/ before Atomic uses parts of the original Ledger Live installation to install the\r\nnew Ledger Live app. Once the new backdoored application is installed in /tmp/, Atomic overwrites the\r\nApplication storage for Ledger Live, fully installing a malicious backdoor. While SpyCloud Labs analysts were\r\nunable to grab a copy of the backdoored Ledger Live, public reporting by Moonlock Lab confirmed that the\r\nbackdoor steals seed phrases used for crypto wallets.[A]\r\nExfiltrated information\r\nIn older versions of Atomic Stealer (from December 2023), Atomic would package stolen information into a zip\r\nstored in memory, never touching the disk apart from the initial file. However, in more recent versions of Atomic\r\nStealer (from April 2024 – May 2024), this behavior changed. Atomic now uses the installation/exfiltration\r\ndirectory discussed in the Installation section of this analysis and zips up the entire directory before sending it\r\nback to the C2. It’s possible that this change was made to avoid detection by Apple, although in doing so Atomic\r\nprovides defenders with some good signatures – namely, dropping to /Users/user/\u003crandom numeric directory\u003e is\r\nmore easily detectable.\r\nBoth the zip and the install/exfil directory are eventually deleted once Atomic has finished executing.\r\nAtomic Stealer assembles the HTTPS requests that it uses to communicate with its C2 using raw sockets, which\r\ngives it a fine level of control over how it assembles the requests. As observed in Image 7, Atomic Stealer’s\r\nrequest uses a few identifying request parameters, so long as defenders have SSL Man-In-The-Middle (MITM) to\r\nobserve them. \r\nhttps://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nPage 10 of 11\n\nImage 7: A snapshot of Atomic Stealer’s exfil request.\r\nNamely, as observed above, hardcoded into the binary is the malware “BuildID”, as well as the name of the user\r\nwho is running the malware. Both of these are sent back to the C2. In the sample we analyzed (from PPI services\r\nlike SpaxMedia and InstallBank), the “BuildID” string was “ppi” and the user was “Shark”.\r\nThere’s no question that Atomic Stealer packs some weight. It’s pricey for actors due to its capability to steal\r\nhighly valuable information that can be leveraged in follow-on attacks like account takeover, ransomware, or\r\nfraud. Here are some of the things to keep in mind about it:\r\nUser exposures from Atomic Stealer infections (even on personal devices) can threaten businesses if actors gain\r\naccess to credentials and other identity data that opens doors to your environment. We recommend security teams\r\nintegrate Post-Infection Remediation steps into existing malware remediation playbooks for confirmed exposures\r\nto minimize risk and prevent follow-on attacks.\r\nWe’ll continue to monitor developments of Atomic Stealer’s capabilities and review recaptured logs to better\r\nunderstand exfiltration trends. Keep an eye out for more reverse-engineering analyses from our team at SpyCloud\r\nLabs.\r\nSources:\r\n[A] https://x.com/moonlock_lab/status/1784938896016486759\r\nSource: https://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nhttps://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/" ], "report_names": [ "reverse-engineering-atomic-macos-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434521, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/080f506687809762a94ae5689a289bc046f8fe23.pdf", "text": "https://archive.orkl.eu/080f506687809762a94ae5689a289bc046f8fe23.txt", "img": "https://archive.orkl.eu/080f506687809762a94ae5689a289bc046f8fe23.jpg" } }