{ "id": "9d9628b4-59de-4042-85a4-45bdca1b0405", "created_at": "2026-04-06T00:06:41.960028Z", "updated_at": "2026-04-10T03:37:09.227271Z", "deleted_at": null, "sha1_hash": "aff1a985327eb1ed8194c1a93be318c8331cfca6", "title": "When Stealers Converge: New Variant of Atomic Stealer in the Wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2773164, "plain_text": "When Stealers Converge: New Variant of Atomic Stealer in the\r\nWild\r\nBy Andrei LAPUSNEANU\r\nArchived: 2026-04-05 19:42:15 UTC\r\nHere at Bitdefender, we're constantly working on improving detection capabilities for our macOS cyber-security\r\nproducts; part of this effort involves revisiting old (or digging up new) samples from our malware zoo. During\r\nroutine verifications, we were able to isolate multiple suspicious and undetected macOS disk image files\r\nsurprisingly small for files of this kind (1.3 MB per file).\r\nA short look into the code revealed that these files are significantly similar to other samples analysed in the last\r\nmonths, which led us to believe that this is a new variant of the AMOS (Atomic) Stealer. This family was first\r\ndocumented in early 2023 and is one of the most prevalent threats for macOS users in the last year.\r\nKey findings\r\nBitdefender researchers were able to isolate a new variant of the AMOS (Atomic) Stealer. The new variant\r\ndrops and uses a Python script to stay covert.\r\nThis variant is largely undetected at the moment of writing and we are sharing Indicators of Compromise to\r\nhelp companies and practitioners identify and block this threat.\r\nThe malware also shares similar code with the RustDoor backdoor documented in a blog post earlier this\r\nmonth.\r\nhttps://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/\r\nPage 1 of 8\n\nThe malware goes for information stored in the browser and special files on the system, but also employs\r\ntactics to steal the local user account password.\r\nThe malware combines Python and Apple Script code to achieve its goals and seems to attempt to identify\r\nsandbox or emulator execution.\r\nEach DMG contains a FAT binary with 2 Mach-O files for each architecture ( Intel and ARM ), that behave like\r\na dropper and are not directly responsible with data theft or the exfiltration of the collected information. When\r\nclicking the DMG file, the user is requested to right click, and then open the Crack Installer application, which\r\nis included inside the disk image. This is a common tactic used by threat actors to override Apple’s security\r\nmechanisms (this will allow the user to open the application even if it is not digitally signed).\r\nhttps://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/\r\nPage 2 of 8\n\nWhen the Crack Installer is opened, the embedded Mach-O binary drops a Python script on disk at the path\r\n/var/tmp/olx and executes it. The XOR-ed content of the script is initially stored inside the __const section of\r\nthe binary, where it is decoded and dropped on disk from.\r\nThe Python stealer\r\nThe Python script dropped on the disk aims to collect sensitive data from multiple sources and then send it to the\r\nC2 server. Its capabilities include gathering the following:\r\nFiles associated with installed crypto-wallet extensions and applications\r\nBrowser data (Passwords, Cookies, Login Data, Forms data, Profiles data, etc)\r\nFiles with targeted extensions from Desktop and Documents directories\r\nHardware-related and system information\r\nThe password of the local user account\r\nThe first action performed by the script is to obtain the password of the user by displaying a fake dialog\r\nimpersonating the operating system. Under the pretext of a system update, the malware prompts for the user’s\r\nlocal account password. This technique is typical of the variants of Atomic Stealer that have emerged in the last\r\nfew months. If the password is correct, it gets written to a file called psw .\r\nhttps://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/\r\nPage 3 of 8\n\nThe analysis of the script revealed an interesting and uncommon technique, namelyto combine Python with Apple\r\nScripting, as the filegrabber() function executes a large block of Apple script using the osascript -e\r\ncommand.\r\nApple Script used by the new variant of Atomic Stealer\r\nhttps://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/\r\nPage 4 of 8\n\nThis Apple Script block features a significantly high level of similarity between this new variant of AMOS Stealer\r\nand the 2nd variant of RustDoor documented earlier this month. Both seem to focus on collecting sensitive files\r\nfrom the victim’s computer, with the current one being a more developed version of the script used by RustDoor.\r\nThis version presents additional features, as it also collects the Cookies.binarycookies file that stores the\r\ncookies of the Safari browser and is located at the following path:\r\n~/Library/Containers/com.apple.Safari/Data/Library/Cookies .\r\nApple Script used by RustDoor\r\nAfter collecting files with targeted extensions from specific locations, the script gathers information about the\r\ncompromised computer using the system_profiler utility, integrated into macOS operating system. The\r\nSPSoftwareDataType , SPHardwareDataType and SPDisplaysDataType arguments indicate that the attackers are\r\ninterested in obtaining hardware-related details, the version of the operating system, but also information about the\r\nconnected displays and graphic cards. Besides gathering context about their targets, one potential purpose of\r\ncollecting these details might be to detect virtual environments or executions within sandboxes. The result of this\r\ncommand is written to a file named user.\r\nThe threat actors then add to the archive of collected files the ~/Library/Keychains/login.keychain-db file,\r\nwhich is associated to the user’s login keychain and represents a database that stores various types of sensitive\r\ninformation such as passwords, encryption keys, and certificates. Moreover, they collect the\r\n~/Library/Application Support/Binance/app-store.json file, which was also targeted by previous variants of\r\nAMOS Stealer and shows the attackers growing interest in cryptocurrency platforms.\r\nTargeting browsers\r\nThe chromium() function has the purpose of collecting several files from each profile of the targeted Chromium-based browsers (Chrome, Brave, Edge, Vivaldi and Opera), such as:\r\nWeb Data\r\nLogin Data\r\nCookies\r\nBesides these files, it attempts to collect information from the installed cryptocurrency browser extensions. The\r\nIDs of the 64 extensions targeted by this variant are hardcoded in the script. Multiple variants of Mach-O binaries\r\nhttps://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/\r\nPage 5 of 8\n\nbelonging to the Atomic Stealer family also contain embedded IDs corresponding to targeted browser extensions.\r\nThe gathering of browser information is also achieved through the parseFF() function, which targets the Firefox\r\nbrowser and collects the files associated to all existing profiles.\r\nTargeting Wallets\r\nThe script also has the ability to collect files belonging to installed crypto wallets, such as Electrum, Coinomi,\r\nExodus or Atomic. This is done by gathering the content of the directories where the applications store their\r\nsensitive data on the victim’s computer.\r\nSending the collected data to the C2 server\r\nEverything that the script has gathered from the target computer is added to a ZIP archive stored in memory, as a\r\nway to minimize the traces left on the compromised device.\r\nAfter the data collection stage, the content of the archive is sent to the C2 address, whose value is hardcoded at the\r\nbeginning of the script, using a POST request to the /p2p endpoint. The archive has the following structure:\r\nhttps://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/\r\nPage 6 of 8\n\nNote: AMOS (Atomic) Stealer was previously associated  with a Russian threat actor, which is again confirmed by\r\nthe address of the C2 server .\r\nDetections:\r\nThe Mach-O droppers are detected as Gen:Variant.Trojan.MAC.Dropper.5 or Trojan.MAC.Dropper\r\nThe Python scripts are detected as Generic.MAC.Stealer.G\r\nIndicators of Compromise\r\nCurrently known indicators of compromise can be found below. Bitdefender Threat Intelligence customers can\r\naccess enriched, contextual insights about this attack. The ThreatID BDee2yljl8 in the Bitdefender IntelliZone\r\nportal includes additional TTPs and visualizations. For more information about Bitdefender Threat Intelligence\r\nsolution visit our product page.\r\nIOCs Hashes for the DMG files:\r\n0caf5b5cc825e724c912ea2a32eceb59\r\nf0dc72530fa06b278b7da797e5fcb3a1\r\n6c402df53630f7a41f9ceaafdca63173\r\ne5c059cc26cc430d3294694635e06aef\r\nb1e0274963801a8c27ef5d6b17fe4255\r\n8672d682b0a8963704761c2cc54f7acc\r\n11183a3f8a624dbf66393f449db8212e\r\ne6412f07e6f2db27c79ad501fbdb6a99\r\nb1b64298a01b55720eb71145978dd96b\r\n15e64a1f7c5ca5d64f4b2a8bf60d76a0\r\n4dce69d4d030bd60ee24503b8bdda39d\r\n740e5f807102b524188ffd198fe9bb3b\r\n8c71b553c29ff57cf135863f6de7125e\r\nhttps://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/\r\nPage 7 of 8\n\nIOCs for the Mach-O droppers:\r\n6aab14b38bbb6b07bd9e5b29a6514b62\r\naf23cd92ab15ebcc02b91664a0adc6fb\r\nd9c40f35b9eaf16a2a7b4204a4e369a8\r\n6e777e9d95945386ced5c1cbb3173854\r\nbc113574cfe6b8d0fb6fb13f43be261b\r\ne125d2e359995c4f4b4d262244767385\r\n98fdef18dfca95dfd75630d8f1d54322\r\na66027146c009b3fdbc29400c7c74346\r\ndf74b93df64240e86d8d721c03d7a8a3\r\n08fc1d03db95a69cddcd173c1311e681\r\n013f3ba3a61ba52ba00b53da40da8a2b\r\n259809091a9d4144a307c6363e32d2ea\r\nIoCs for the Python scripts\r\n6e375185480ee26c2f31c04c36a8a0e8\r\nc8ac97b9df5a2dc51be6a65e6d7bce6b\r\n70b0f6ff8facca122591249f9770d7c9\r\nfba8e41640a249f638de197ad615bd72\r\nIoCs for C\u0026C URLs:\r\n5.42.65.114 (previously linked to a C\u0026C server associated with Amadey malware)\r\nSource: https://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/\r\nhttps://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/" ], "report_names": [ "when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434001, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aff1a985327eb1ed8194c1a93be318c8331cfca6.pdf", "text": "https://archive.orkl.eu/aff1a985327eb1ed8194c1a93be318c8331cfca6.txt", "img": "https://archive.orkl.eu/aff1a985327eb1ed8194c1a93be318c8331cfca6.jpg" } }