{ "id": "7081be0f-6a2b-43f6-ad8e-8aae1558172d", "created_at": "2026-04-06T00:19:20.19248Z", "updated_at": "2026-04-10T13:13:03.423861Z", "deleted_at": null, "sha1_hash": "5787650a172658c44686d67087a7eaa904a6e630", "title": "Atomic Stealer rings in the new year with updated version", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2554517, "plain_text": "Atomic Stealer rings in the new year with updated version\r\nBy Jérôme Segura\r\nPublished: 2024-01-10 · Archived: 2026-04-05 13:38:27 UTC\r\nLast year, we documented malware distribution campaigns both via malvertising and compromised sites\r\ndelivering Atomic Stealer (AMOS) onto Mac users. This stealer has proven to be quite popular in the criminal\r\nunderground and its developers have been adding new features to justify its hefty $3000/month rental fee.\r\nIt looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced\r\npayload encryption in an effort to bypass detection rules. Some samples from crack websites made their way to\r\nVirusTotal around that time frame, followed by a malvertising campaign we observed in January 2024.\r\nIn this blog post, we will review the latest changes with Atomic Stealer and the recent distribution with malicious\r\nads via the Google search engine.\r\nIn December, Atomic Stealer ran a promotion via a post on their Telegram channel to offer a special holiday\r\ndiscount to their customers:\r\nWelcome. From today until December 31, 2023, the price for a subscription to Atomic MacOs Stealer is\r\nonly $2000 . Happy New Year!\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version\r\nPage 1 of 9\n\nWhile the developers did not specifically advertise this feature, it appears that around December 17 Atomic\r\nStealer had changed some of its code to hide certain strings that were previously used for detection and identifying\r\nits command and control server.\r\nSample with strings in clear text (Dec 12), showing for example the IP address for the malware’s C2 server:\r\nObfuscated sample (Dec 17), using a new encryption routine that hides strings of interest:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version\r\nPage 2 of 9\n\nThose two samples above also represent the different distribution channels that Atomic Stealer customers are\r\nusing to distribute the malware. It’s possible customers using software cracks got access to the update Atomic\r\nStealer before those that leverage malicious ads.\r\nIn fact, during the holiday break, we noticed a decrease in malvertising activity, in particular for the campaigns\r\nrunning via Google search ads. This was somewhat expected and typically extends into early January. However,\r\non January 8, we identified a malvertising campaign using similar tactics seen previously by threat actors\r\ndistributing FakeBat. In this instance, there was also a payload destined for Mac users, Atomic Stealer in its\r\nupdated version.\r\nMalvertising with FakeBat – Atomic Stealer combo\r\nThe threat actors are luring victims via a Google search ad impersonating Slack, the popular communication tool,\r\nand redirecting them to a decoy website where the app can be downloaded for both Windows and Mac:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version\r\nPage 3 of 9\n\nThe threat actors are leveraging tracking templates to filter traffic and route it through a few redirects before\r\nloading the landing page:\r\nOn that same domain, there is an open directory showing the location of the Windows payload which is an MSI\r\ninstaller (FakeBat), and the Mac one, Atomic Stealer (AMOS):\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version\r\nPage 4 of 9\n\nObfuscated Atomic Stealer\r\nThe malicious DMG file contains instructions for users to open the file as well as a dialog window asking them to\r\nenter their system password. This will allow Atomic Stealer to collect passwords and other sensitive files that are\r\ntypically access-restricted.\r\nWhen comparing the previous Atomic Stealer samples we have, we can see that the application code has changed.\r\nPreviously, we could see certain strings revealing the nature of the payload (browsers, wallets, etc.) and more\r\nimportantly the command and control server that receives stolen user data. Now, these strings are no longer visible\r\nas the code is well obfuscated:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version\r\nPage 5 of 9\n\nWhen we analyzed this sample in a sandbox we saw the data exfiltration taking place and the corresponding C2\r\nserver:\r\nStealing victim passwords, crypto wallets and cookies\r\nAs detailed in Objective-See’s The Mac Malware of 2023, stealers were the most popular type of malware. It’s not\r\njust passwords that are of interest to cyber criminals. Stealing browser cookies can sometimes be even better than\r\nhaving the victim’s password, enabling authentication into accounts via session tokens.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version\r\nPage 6 of 9\n\nIn fact, Atomic Stealer developers were working on a cookie feature they announced on Christmas Eve:\r\nHi everyone, the panel has released an update with a new feature – Google Restore, it is located instead\r\nof the old page Cookies Convertor. In brief – implemented anti-unlogin Google.\r\nAs stealers continue to be a top threat for Mac users, it is important to download software from trusted locations.\r\nMalicious ads and decoy sites can be very misleading though and it only takes a single mistake (entering your\r\npassword) for the malware to collect and exfiltrate your data.\r\nWe have reported the malicious ad and infrastructure to the respective parties for mitigation.\r\nTo stay safe from this and other similar threats, a combination of web protection and antivirus is best suited.\r\nMalwarebytes Browser Guard and Antivirus for macOS can prevent and detect Atomic Stealer.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version\r\nPage 7 of 9\n\nIndicators of Compromise\r\nMalvertising chain\r\nivchlo[.]gotrackier[.]com\r\nred[.]seecho[.]net\r\nDecoy site\r\nslack[.]trialap[.]com\r\nFakeBat payload URL\r\nslack[.]trialap[.]com/app/Slack-x86.msix\r\nFakeBat hash\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version\r\nPage 8 of 9\n\n49f12d913ad19d4608c1596cf24e7b6fff14975418f09e2c1ad37f231943fda3\r\nFakeBat C2\r\nads-strong[.]online\r\nAtomic Stealer payload URL\r\nslack[.]trialap[.]com/app/Slack-Apps.dmg\r\nAtomic Stealer hash\r\n18bc97e3f68864845c719754d2d667bb03f754f6e87428e33f9c763a8e6a704a\r\nC2\r\n5.42.65[.]108\r\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version" ], "report_names": [ "atomic-stealer-rings-in-the-new-year-with-updated-version" ], "threat_actors": [], "ts_created_at": 1775434760, "ts_updated_at": 1775826783, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5787650a172658c44686d67087a7eaa904a6e630.pdf", "text": "https://archive.orkl.eu/5787650a172658c44686d67087a7eaa904a6e630.txt", "img": "https://archive.orkl.eu/5787650a172658c44686d67087a7eaa904a6e630.jpg" } }