{
	"id": "2fd8f286-9223-4005-b7cb-0b77c00f923a",
	"created_at": "2026-04-06T02:11:27.069353Z",
	"updated_at": "2026-04-10T03:21:27.982532Z",
	"deleted_at": null,
	"sha1_hash": "43e6bc47e6f85a6ce89d3bab26ef3eca73ee3f2a",
	"title": "Apple picking: Bobbing for Atomic Stealer \u0026 other macOS malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46326,
	"plain_text": "Apple picking: Bobbing for Atomic Stealer \u0026 other macOS\r\nmalware\r\nBy susannah.matt@redcanary.com\r\nPublished: 2024-10-10 · Archived: 2026-04-06 01:29:00 UTC\r\nFor years, macOS has enjoyed a reputation as being relatively secure from widespread malware threats compared\r\nto its Windows counterpart. The occasional ad fraud, remote access malware, or ransomware incident would\r\nsurface, but nothing that seemed like an existential threat to enterprises. In fact, many people still hold the belief\r\nthat macOS is immune to malware—a dangerous misconception.\r\nHowever, 2024 has shattered that illusion. A surge in macOS-focused malware, including notorious threats like\r\nAtomic Stealer, Poseidon Stealer, and Cthulhu Stealer, has marked a significant shift. Adversaries are increasingly\r\ntargeting macOS devices, recognizing their growing presence in enterprises and the critical data contained within.\r\nmacOS as a new target\r\nAs macOS systems become more ingrained in corporate environments—used not just by developers, but by teams\r\nacross sales, marketing, and engineering—they’ve become prime targets for cybercriminals. These systems often\r\nhouse valuable organizational secrets, credentials, and even deployment keys used by software developers,\r\nmaking them a treasure trove for adversaries.\r\nAtomic Stealer enters the chat\r\nAtomic Stealer has caught our attention as an outlier in our 2024 midyear update since it’s a macOS malware\r\nfamily making its presence known amidst a stockpile of threats targeting Windows. It’s a sophisticated, all-in-one\r\nhttps://redcanary.com/blog/threat-detection/atomic-stealer/\r\nPage 1 of 3\n\ntool that allows adversaries to vacuum up a wide array of sensitive information, from browser cookies and\r\ncredentials to access tokens. Once deployed, Atomic Stealer can harvest hundreds, if not thousands, of data points\r\nfrom a single machine—data that can be sold on the black market or leveraged for further attacks.\r\nThe following shows the rough timeline of an Atomic Stealer infection:\r\nDetection opportunities\r\nFortunately, Atomic Stealer is very detectable, and so we’re going to share a pair of pseudo-detectors that pretty\r\nreliably catch the malware’s credential access behaviors. Note that these detection opportunities may require\r\ntuning within your environment—and they may also catch other macOS threats.\r\nAbusing OSX shell to gather passwords\r\nprocess == [ sh ]\r\n\u0026\u0026\r\ncommand_line_includes ( system preferences || password )\r\nAbusing AppleScript to gather passwords\r\nprocess_name == osascript\r\n\u0026\u0026\r\ncommand_line_includes ( display dialog \u0026\u0026 password )\r\nWhy enterprise businesses should be concerned\r\nhttps://redcanary.com/blog/threat-detection/atomic-stealer/\r\nPage 2 of 3\n\nThe rising popularity of macOS in the enterprise means that organizations can no longer afford to treat Mac\r\nsecurity as an afterthought. With adversaries specifically designing malware to exploit macOS vulnerabilities, it’s\r\nclear that these devices are no longer just niche tools for creative professionals or developers. They are deeply\r\nembedded in the workflows of many modern companies, and as such, they need robust protection.\r\nOrganizations can no longer afford to treat Mac security as an afterthought.\r\nOrganizations that have a large macOS footprint—those who are primarily or exclusively Mac-based—typically\r\nhave a better understanding of the risks. But if you’re in a Windows-native environment with just a handful of\r\nMacs, it’s easy to overlook these systems as less critical. That mindset, however, leaves a dangerous gap in your\r\nsecurity posture.\r\nHow to secure macOS devices\r\nThe first step in defending macOS systems is understanding your Mac footprint. How many macOS devices are in\r\nyour environment? What are they used for? Once you have a clear picture, it’s time to implement strong security\r\nmeasures.\r\nJust like Windows systems, macOS devices should have comprehensive protections in place, including:\r\nantivirus\r\nanti-malware controls\r\nendpoint detection and response (EDR)\r\nInvestigating macOS malware can be particularly challenging for defenders who have spent their careers working\r\non Windows systems. However, with the right tools—like EDR solutions tailored for macOS—security teams can\r\nmore effectively detect and mitigate threats like Atomic Stealer without unnecessary hassle. For those\r\ninvestigating macOS stealers in malware analysis, consider checking out Red Canary Mac Monitor to help gather\r\ndata.\r\nThe rise of macOS-specific malware like Atomic Stealer highlights the need for organizations to reassess their\r\napproach to Mac security. As macOS becomes a staple in the enterprise, adversaries are more determined than\r\never to exploit these systems for profit. By understanding your macOS footprint and implementing robust\r\nprevention and detection measures, you can keep your valuable data out of the hands of cybercriminals.\r\nSource: https://redcanary.com/blog/threat-detection/atomic-stealer/\r\nhttps://redcanary.com/blog/threat-detection/atomic-stealer/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/threat-detection/atomic-stealer/"
	],
	"report_names": [
		"atomic-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775441487,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/43e6bc47e6f85a6ce89d3bab26ef3eca73ee3f2a.pdf",
		"text": "https://archive.orkl.eu/43e6bc47e6f85a6ce89d3bab26ef3eca73ee3f2a.txt",
		"img": "https://archive.orkl.eu/43e6bc47e6f85a6ce89d3bab26ef3eca73ee3f2a.jpg"
	}
}