{ "id": "a75eb36d-7687-4bee-99d1-71034b75f084", "created_at": "2026-04-06T00:22:25.334764Z", "updated_at": "2026-04-10T13:12:27.776308Z", "deleted_at": null, "sha1_hash": "c68b32e285e1ed3f9af4524a19ef5cdd66b46179", "title": "New Atomic MacOS Stealer For Sale On Telegram", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1392759, "plain_text": "New Atomic MacOS Stealer For Sale On Telegram\r\nPublished: 2023-04-26 · Archived: 2026-04-05 16:25:13 UTC\r\nCRIL analyzes AMOS, a stealthy new information stealer targeting macOS and disseminating stolen information\r\nvia Telegram.\r\nUndetected Golang-Based Stealer Emerges and Baffles Security Vendors\r\nIn recent years, macOS has become increasingly popular among users, largely due to its user-friendly interface,\r\nwhich is often commended for its simplicity and ease of use.\r\nmacOS is also often perceived as being more secure than other operating systems. Despite this, Threat Actors\r\n(TAs) have continued to target macOS platforms. Previously, there have been several cases where Threat Actors\r\nhave targeted macOS users with various families of malware, including MacStealer, RustBucket, DazzleSpy, etc.\r\nWorld's Best AI-Native Threat Intelligence\r\nCyble Research and Intelligence Labs (CRIL) recently discovered a Telegram channel advertising a new\r\ninformation-stealing malware called Atomic macOS Stealer (AMOS). The malware is specifically designed to\r\ntarget macOS and can steal sensitive information from the victim’s machine.\r\nThe TA behind this stealer is constantly improving this malware and adding new capabilities to make it more\r\neffective. The most recent update to the malware was highlighted in the Telegram post on April 25th, showcasing\r\nits latest features.\r\nThe Atomic macOS Stealer can steal various types of information from the victim’s machine, including keychain\r\npasswords, complete system information, files from the desktop and documents folder, and even the macOS\r\npassword. The stealer is designed to target multiple browsers and can extract auto-fills, passwords, cookies,\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 1 of 14\n\nwallets, and credit card information. Specifically, AMOS can target cryptowallets such as Electrum, Binance,\r\nExodus, Atomic, and Coinomi.\r\nThe TA also provides additional services such as a web panel for managing victims, meta mask brute-forcing for\r\nstealing seed and private keys, crypto checker, and dmg installer, after which it shares the logs via Telegram.\r\nThese services are offered at a price of $1000 per month.\r\nFigure 1 – Telegram Post by Malware Developer\r\nTechnical Analysis\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 2 of 14\n\nFor our analysis, we have taken the sample hash (SHA256) of “Setup.dmg” as\r\n15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709, which is FUD (stands for “Fully\r\nUndetectable”) on Virustotal at the time of writing this analysis.\r\nThe TAs use a ‘.dmg’ file to disseminate this malware, including a Mac OS X executable, located at\r\n“/Setup.app/Contents/macOS/My Go Application.app” and is a 64-bit Golang executable file.\r\nFigure 2 – Strings related to Go Source Files of Stealer\r\nThe Atomic macOS Stealer’s primary function encompasses all of its capabilities, including keychain extraction,\r\ncrypto wallet theft, stealing browser details, grabbing user files, collecting system information, and sending all the\r\nstolen data to the remote C\u0026C server.\r\nThe main functions of the stealer are depicted in the figure below.\r\nFigure 3 – Stealer’s main function\r\nOnce a user executes the file, it displays a fake password prompt to obtain the system password, as shown in the\r\nfigure below.\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 3 of 14\n\nFigure 4 – Fake password prompt\r\nIn addition to obtaining the system password, the malware also targets the password management tool by utilizing\r\nthe main_keychain() function to extract sensitive information from the victim’s machine. Keychain is a macOS\r\npassword management system that enables users to safely store sensitive data such as website logins, Wi-Fi\r\npasswords, credit card details, and more.\r\nThe code snippet depicted in the figure below exhibits the main_keychain() function, implemented to gather the\r\nuser’s credentials.\r\nFigure 5 – Keychain password extraction\r\nStealing Crypto Wallets\r\nAfter that, the stealer begins to extract information related to crypto-wallets by querying and reading files from\r\nspecific directories using the function main_GrabWallets(). The stealer targets crypto wallets such as Electrum,\r\nBinance, Exodus, and Atomic, as shown below.\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 4 of 14\n\nFigure 6 – Targeted Crypto-wallets\r\nCrypto Wallet Extension\r\nThe Atomic macOS stealer can also extract information from crypto wallet browser extensions. These extensions\r\nare integrated into the stealer binary via hard coding, with over 50 extensions being targeted thus far.\r\nThe table below highlights some crypto wallets with respective browser extension IDs targeted by the malware.\r\nacmacodkjbdgmoleebolmdjonilkdbch Rabby Wallet\r\naeachknmefphepccionboohckonoeemg Coin98 Wallet\r\nafbcbjpbpfadlkmhmclhkeeodmamcflc Math Wallet\r\naholpfdialjgjfhomihkjbmgjidlcdno Exodus Web3 Wallet\r\naiifbnbfobpmeekipheeijimdpnlpgpp Station Wallet\r\namkmjjmmflddogmhpjloimipbofnfjih Wombat – Gaming Wallet for Ethereum \u0026 EOS\r\napnehcjmnengpnmccpaibjmhhoadaico CWallet\r\nbcopgchhojmggmffilplmbdicgaihlkp Hycon Lite Client\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom\r\nbocpokimicclpaiekenaeelehdjllofo XDCPay\r\ncgeeodpfagjceefieflmdfphplkenlfk EVER Wallet\r\ncihmoadaighcejopammfbmddcmdekcje LeafWallet\r\ncjelfplplebdjjenllpjcblmjkfcffne Jaxx Liberty\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 5 of 14\n\ncjmkndjhnagcfbpiemnkdpomccnjblmj Finnie\r\ncmndjbecilbocjfkibfbifhngkdmjgog Swash\r\ncnmamaachppnkjgnildpdmkaakejnhae Auro\r\ncopjnifcecdedocejpaapepagaodgpbh Freaks Axie\r\ncphhlgmgameodnhkjdmkpanlelnlohao NeoLine\r\ndhgnlgphgchebgoemcjekedjjbifijid Crypto Airdrops \u0026 Bounties\r\ndkdedlpgdmmkkfjabffeganieamfklkm Cyano\r\ndmkamcknogkgcdfhhbddcghachkejeap Keplr\r\nefbglgofoippbgcjepnhiblaibcnclgk Martian Wallet for Sui \u0026 Aptos\r\negjidjbpglichdcondbcbdnbeeppgdph Trust Wallet\r\nffnbelfdoeiohenkjibnmadjiehjhajb Yoroi\r\nfhbohimaelbohpjbbldcngcnapndodjp BinanceChain\r\nfhilaheimglignddkjgofkcbgekhenbh Oxygen\r\nflpiciilemghbmfalicajoolhkkenfel ICONex\r\nfnjhmkhhmkbjkkabndcnnogagogbneec Ronin\r\nfnnegphlobjdpkhecapkijjdkgcjhkib Harmony Wallet\r\nhcflpincpppdclinealmandijcmnkbgn KHC\r\nhmeobnfnfcmdkdcmlblgagmfpfboieaf XDEFI\r\nhnfanknocfeofbddgcijnmhnfnkdnaad Coinbase\r\nhnhobjmcibchnmglfbldbfabcgaknlkj Flint Wallet\r\nhpglfhgfnhbgpjdenjgmdgoeiappafln Guarda\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TronLink\r\nimloifkgjagghnncjkhggdhalmcnfklk Trezor Password Manager\r\njojhfeoedkpkglbfimdfabpdfjaoolaf Polymesh\r\nklnaejjgbibmhlephnhpmaofohgkpgkd ZilPay\r\nkncchdigobghenbbaddojjnnaogfppfj iWallet\r\nkpfopkelmapcoipemfendmdcghnegimn Liquality\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 6 of 14\n\nlodccjjbdhfakaekdiahmedfbieldgik DAppPlay\r\nmfhbebgoclkghebffdldpobeajmbecfk Starcoin\r\nmnfifefkajgofkcjkemidiaecocnkjeh TezBox\r\nnhnkbkgjikgcigadomkphalanndcapjk CLW\r\nnkbihfbeogaeaoehlefnkodbefgpgknn Metamask\r\nnknhiehlklippafakaeklbeglecifhad Nabox\r\nnlbmnnijcnlegkjjpcfjclmcfggfefdm MewCx\r\nnlgbhdfgdhgbiamfdfmbikcdghidoadd Byone\r\nnphplpgoakhhjchkkhmiggakijnkhfnd Ton\r\nookjlbkiijinhpmnjffcofjonbfbgaoc Temple\r\npdadjkfkgcafgbceimcpbkalnfnepbnk KardiaChain\r\npnndplcbkakcplkjnolgbkdgjikjednm Tron Wallet \u0026 Explorer – Tronium\r\npocmplpaccanhmnllbbkpgfliimjljgo Slope\r\nppdadbejkmjnefldpcdjhnkpbjkikoip Oasis\r\nAfter collecting wallet details, the malware queries the installed browsers’ directories on the victim’s device and\r\nsearches for particular browser-related files to extract confidential data, such as:\r\nAutofills\r\nPasswords\r\nCookies\r\nCredit Cards\r\nAs depicted below, the malware can steal files from various browsers, including Mozilla Firefox, Google Chrome,\r\nMicrosoft Edge, Yandex, Opera, and Vivaldi.\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 7 of 14\n\nFigure 7 – Targeted web browsers\r\nFile Grabber\r\nThe stealer now steals the victim’s files from directories such as Desktop and Documents using the\r\nmain_FileGrabber() function. The figure below shows the malware requesting permission to access files within\r\nthe specified directories.\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 8 of 14\n\nFigure 8 – Stealer requesting permission to access files\r\nThe code snippet in the figure below displays the main_FileGrabber() function, which is implemented to grab\r\nfiles from the victim’s system.\r\nFigure 9 – File grabber\r\nCollecting System Information\r\nSubsequently, the malware starts the process of obtaining further hardware-related information regarding the\r\nsystem, such as the Model name, Hardware UUID, RAM size, the number of cores, and serial number, among\r\nother information. This is illustrated in the figure below.\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 9 of 14\n\nFigure 10 – Collected system information\r\nCommand and Control (C\u0026C)\r\nFinally, the Atomic macOS stealer processes the stolen information by compressing into ZIP and encoding it using\r\nBase64 format for exfiltration.\r\nThe stealer communicates with the below C\u0026C server URL and sends the stolen information.\r\nhxxp[:]//amos-malware[.]ru/sendlog\r\nThe figure below shows the network communication of data exfiltration from the victim’s machine.\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 10 of 14\n\nFigure 11 – Exfiltrated data\r\nConcurrently, the Atomic macOS stealer sends selected information to Telegram channels along with the compiled\r\nZIP file, as shown below.\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 11 of 14\n\nFigure 12 – Sending ZIP file to Telegram channel\r\nC\u0026C Panel\r\nThe below figure shows Atomic macOS stealer’s active C\u0026C panel.\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 12 of 14\n\nFigure 13 – AMOS C\u0026C panel\r\nConclusion\r\nDue to its robust security features, macOS is the preferred operating system for numerous high-profile individuals.\r\nTargeting macOS is not a novel trend, and various malware families exist that specifically aim to infiltrate this\r\noperating system.\r\nMalware such as the Atomic macOS Stealer could be installed by exploiting vulnerabilities or hosting on phishing\r\nwebsites. Threat Actors can use the stolen data for espionage or financial gain. While not commonplace, macOS\r\nmalwares can have devastating impacts on victims.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nDownload and install software only from the official Apple App Store.\r\nUse a reputed antivirus and internet security software package on your system.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the device\r\nwherever possible.\r\nBe wary of opening any links received via emails delivered to you.\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 13 of 14\n\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nExecution T1204.002 User Execution: Malicious File\r\nCredential Access T1110 Brute Force\r\nCredential Access T1555.001 Keychain\r\nCredential Access T1555.003 Credentials from Web Browsers\r\nDiscovery T1083 File and Directory Discovery\r\nCommand and Control T1132.001 Data Encoding: Standard Encoding\r\nExfiltration T1041 Exfiltration Over C\u0026C Channel\r\nIndicators of Compromise (IoC)\r\nIndicators\r\nIndicators\r\nType\r\nDescription\r\n5e0226adbe5d85852a6d0b1ce90b2308\r\n0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a\r\n15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709\r\nMD5\r\nSHA1\r\nSHA256\r\nSetup.dmg\r\namos-malware[.]ru Domain C\u0026C\r\nhxxp[:]//amos-malware[.]ru/sendlog URL C\u0026C\r\nSource: https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nhttps://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/\r\nPage 14 of 14\n\n https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/ \nFigure 12 -Sending ZIP file to Telegram channel \nC\u0026C Panel \nThe below figure shows Atomic macOS stealer’s active C\u0026C panel.\n Page 12 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/" ], "report_names": [ "threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434945, "ts_updated_at": 1775826747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c68b32e285e1ed3f9af4524a19ef5cdd66b46179.pdf", "text": "https://archive.orkl.eu/c68b32e285e1ed3f9af4524a19ef5cdd66b46179.txt", "img": "https://archive.orkl.eu/c68b32e285e1ed3f9af4524a19ef5cdd66b46179.jpg" } }