{
	"id": "f4501539-cc2e-4a4f-a3a4-fa1b9ab31dc5",
	"created_at": "2026-04-06T00:13:42.928304Z",
	"updated_at": "2026-04-10T03:21:11.837307Z",
	"deleted_at": null,
	"sha1_hash": "4210e8781aa09ba520b1659f9470c62b845e7bbe",
	"title": "@mentalpositive’s New macOS Stealer: AMOS Repackaged or a New Cyber Threat?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 197498,
	"plain_text": "@mentalpositive’s New macOS Stealer: AMOS Repackaged or a\r\nNew Cyber Threat?\r\nPublished: 2025-07-02 · Archived: 2026-04-05 19:47:08 UTC\r\nWhile perusing Twitter/X as a cybersecurity enthusiast, we encountered a post which highlights a MacOS Stealer\r\nby  @mentalpositive as a new macOS stealer targeting Ledger Live users in 2025. Early analyses suggest it might\r\nbe a new variant of AMOS—the notorious Atomic macOS Stealer from 2023. This comparison raises critical\r\nquestions: Is this malware merely a rebranded version of AMOS, or does it introduce novel tactics and\r\ntechniques?\r\nFig.1. Tweet about this new stealer.\r\nRevisiting AMOS: The Benchmark of macOS Stealers\r\nWhen Atomic macOS Stealer (AMOS) showed up in 2023, it raised the bar for Mac-based malware. Unlike basic\r\ninfo-stealers, AMOS could collect a wide range of victim data—including browser passwords, system details,\r\nKeychain entries, and even cryptocurrency wallets like MetaMask and Ledger Live. It spreads via phishing,\r\ncracked apps, and fake software that looks identical to the real one. Once installed, AMOS uses sneaky means like\r\nLaunch Agents and hidden background processes to stay active and not being noticed. It sent stolen data through\r\nencrypted channels and constantly switched servers to avoid being shut down. What really sets AMOS apart was\r\nhow it was sold as malware-as-a-service (MaaS). This meant anyone could buy it, log into a web panel, use tools\r\nlike MetaMask to brute-force, and receive stolen data via Telegram. AMOS wasn’t just a malware—it was the full\r\npackage, cybercrime made easy.\r\nThe “macOS stealer by mentalpositive” initiates execution by employing standard Unix process-hollowing\r\ntechniques to detach itself from the controlling terminal and session manager. This is typically achieved via a\r\ncombination of _fork, _setsid, _close, to demonize the process and evade interactive debugging or sandbox\r\ndetection. Following this, the stealer enumerates and forcibly terminates terminal-related processes using system\r\ncalls like kill() to prevent user intervention and ensure uninterrupted execution. This behaviour is part of its\r\nbroader anti-analysis and persistence strategy.\r\nhttps://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/\r\nPage 1 of 7\n\nFig.2. Code at start of EP.\r\nAfter launching, it prompts the user to enter their administrator password, mimicking legitimate system behaviour\r\nto gain elevated privileges—similar to how the AMOS stealer operates. Once the password is entered, the\r\nmalware attempts to verify the same by checking against local authentication mechanisms, such as the system\r\nkeychain or the default credential storage. If the password is valid, it proceeds with this elevated access to perform\r\nactions that normally require elevated privileges and thereby maintain persistence.\r\nFig.3. Osascript to display dialog.\r\nWith administrative access obtained, it proceeds to target the login.keychain-db file and the /password directory (if\r\navailable), which are commonly used to store system and user credentials. It attempts to extract saved passwords\r\nand other sensitive authentication data from these locations. The collected information is then consolidated and\r\nsaved into a file named information.txt, preparing it for later retrieval or exfiltration by the attacker.\r\nhttps://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/\r\nPage 2 of 7\n\nFig.4. Extract password.\r\nFig.5. Password Validation.\r\nFig.6. Validating password using local default.\r\nOnce it collects the usernames and passwords, it writes its signature- “mac.c macOS stealer by mentalpositive”\r\ninto the same information.txt file along with the stolen information, marking the text file.\r\nhttps://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/\r\nPage 3 of 7\n\nFig.7. Signature of malware.\r\nThe “macOS Stealer by MentalPositive” then proceeds to collect comprehensive data from a variety of installed\r\nbrowsers, cryptocurrency wallets, and browser extensions as specified in the accompanying figures. While many\r\nof the targeted applications overlap with those in the AMOS stealer, this variant expands its scope by including\r\nadditional cryptocurrency wallet names, potentially increasing the range of wallets it can compromise. The stealer\r\nextracts information such as saved logins, wallet keys, and extension data. Once collected, all this data is\r\nconsolidated and compressed into a single archive file named log.zip ready for exfiltration.\r\nFig.8. List of browsers.\r\nhttps://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/\r\nPage 4 of 7\n\nFig.9. Crypto wallets \u0026 Telegram data.\r\nFig.10. Wallet extensions along with hashes.\r\nFig.11. Collecting and coping to zip file.\r\nAs part of its network activity, the malware sends an HTTP request containing a unique Build ID. So far, three\r\nBuild IDs have been identified: JENYA, SHELLS and BARNI. These values are likely to serve to differentiate\r\nbetween builds or distribution campaigns, potentially helping the attacker manage multiple infection sources or\r\nupdate variants. After assigning the Build ID, the malware connects to a set of URLs (detailed below) and\r\ntransmits the collected data—behavior typical of stealers.\r\nhttps://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/\r\nPage 5 of 7\n\nFig.12. Build IDs.\r\nFig.13. URLs.\r\nAt the final stage of execution, the malware presents a fake system-like window displaying a specific message\r\nstring. This behaviour closely mirrors that of the AMOS stealer and is likely used to deceive the user or cover up\r\nits malicious operations while the data is being ex-filtrated in the background.\r\nFig.14. Fake update.\r\nComparing AMOS Stealer and the New macOS Stealer by MentalPositive\r\nCode Obfuscation\r\nAMOS uses heavy obfuscation to hide its actions, making analysis difficult. MentalPositive’s code is mostly\r\nvisible and straightforward, allowing easier inspection.\r\nProgramming Language\r\nAMOS is mainly written in C++ and Go for modularity and portability. MentalPositive uses Objective-C and\r\nSwift, focusing on native macOS features.\r\nPrivilege Escalation\r\nhttps://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/\r\nPage 6 of 7\n\nBoth stealers prompt users for admin passwords, but MentalPositive verifies the password locally before\r\nproceeding. AMOS often ex-filtrates credentials without local checks.\r\nCredential and Crypto Theft\r\nAMOS targets common browsers and wallets like MetaMask. MentalPositive expands this by including more\r\ncryptocurrency wallets, increasing its reach.\r\nAnti-Analysis Techniques\r\nAMOS employs strong anti-debugging and sandbox evasion methods. MentalPositive uses demonization and kills\r\nterminal apps to avoid detection.\r\nNetwork Behaviour\r\nAMOS variants share similar infrastructure, while MentalPositive assigns unique Build IDs per sample, helping\r\nattackers manage campaigns. Both send stolen data to remote servers.\r\nUser Deception\r\nBoth use fake system windows to hide their activity. MentalPositive shows these at the end to distract users during\r\ndata exfiltration.\r\nOverall, the new stealer has the DNA of AMOS in its functions but is not as complex as AMOS to avoid detection\r\nor defend itself, as it may be in developmental stages or its early phase—potentially evolving in the future with\r\nmore evasive techniques.\r\nThreat actors targeting macOS users are increasing every day. So, as a user, one needs to be cautious when\r\nexecuting unknown executables. Users are requested to use a reputable security product such as “K7 Antivirus for\r\nMac” and to keep it updated so as to stay safe from such threats.\r\nHash Detection Name\r\nF57D595D6CEE023B947AC32055012255 Trojan ( 0040f5891 )\r\n45CC9ACA6F226130A05056EFABDA2DA8 Trojan ( 0040f5891 )\r\n36A5B365551B6596690EEBC94D86BA61 Trojan ( 0040f5891 )\r\nSource: https://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/\r\nhttps://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/"
	],
	"report_names": [
		"mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434422,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4210e8781aa09ba520b1659f9470c62b845e7bbe.pdf",
		"text": "https://archive.orkl.eu/4210e8781aa09ba520b1659f9470c62b845e7bbe.txt",
		"img": "https://archive.orkl.eu/4210e8781aa09ba520b1659f9470c62b845e7bbe.jpg"
	}
}