CyberSecurityBoard
Sponsor Register Login

Atomic macOS infostealer adds backdoor for persistent attacks

Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. The analyzed version of the malware comes with an embedded backdoor, uses of LaunchDaemons to survive reboots on macOS, ID-based victim tracking, and new command-and-control infrastructure. MacPaw's cybersecurity division Moonlock analyzed the backdoor in Atomic malware after a tip from independent researcher g0njxa, a close observer of infostealer activity. The evolution of Atomic malware shows that macOS users are becoming more attractive targets and malicious campaigns aimed at them are increasingly sophisticated. A persistent wrapper script named '.agent' (also hidden) runs '.helper' in a loop as the logged-in user, while a LaunchDaemon (com.finder.helper) installed via AppleScript ensures that '.agent' executes at system startup. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The backdoor allows the threat actors to execute commands remotely, log key strokes, introduce additional payloads, or explore lateral movement potential. In November 2023, it supported the first-ever expansion of 'ClearFake' campaigns onto macOS, while in September 2024, it was spotted in a large-scale campaign by the cybercrime group' Marko Polo,' who deployed it on Apple computers. Moonlock reports that Atomic has recently shifted from broad distribution channels like cracked software sites, to targeted phishing aimed at cryptocurrency owners, as well as job interview invitations to freelancers. "AMOS malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected," the researchers say. The core backdoor executable is a binary named '.helper,' downloaded and saved in the victim's home directory as a hidden file post-infection, the researchers say.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 07 Jul 2025 18:25:13 +0000


Cyber News related to Atomic macOS infostealer adds backdoor for persistent attacks

CVE-2024-40954 - In the Linux kernel, the following vulnerability has been resolved: ...
7 months ago
Atomic macOS infostealer adds backdoor for persistent attacks - Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. The analyzed version of the malware comes with an embedded ...
1 month ago Bleepingcomputer.com
CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
1 year ago Securityaffairs.com
BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
1 year ago Securityboulevard.com CVE-2024-27198 CVE-2023-42793 BianLian
Fake Browser Updates Targeting Mac Systems With Infostealer - A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems. Experts say this could be the ...
1 year ago Darkreading.com
Atomic macOS Info-Stealer Upgraded With New Backdoor to Maintain Persistence - According to cybersecurity researchers at Moonlock, MacPaw’s security division, this marks only the second known case of backdoor deployment targeting macOS users at a global scale, following similar tactics employed by North Korean threat ...
1 month ago Cybersecuritynews.com
Sophisticated macOS Infostealers Get Past Apple's Built-In Detection - Increasingly sophisticated infostealers are targeting macOS with the capability to evade Apple's built-in malware protection, as attackers are becoming more savvy about how to crack static signature-detection engines like the platform's proprietary ...
1 year ago Darkreading.com Hunters
Ukrainian Raccoon Infostealer Operator Extradited to US - A Ukrainian national charged with operating the Raccoon Infostealer malware-as-a-service has made an appearance in a US court after being extradited from the Netherlands. The man, Mark Sokolovsky, 28, was arrested in March 2022, after the FBI and law ...
1 year ago Securityweek.com
New 'SpectralBlur' macOS Backdoor Linked to North Korea - Security researchers have dived into the inner workings of SpectralBlur, a new macOS backdoor that appears linked to the recently identified North Korean malware family KandyKorn. The observed SpectralBlur sample was initially uploaded to VirusTotal ...
1 year ago Securityweek.com
macOS Security Guide- Safeguarding Against Adware and Malware - While Apple’s built-in defenses, such as XProtect and Gatekeeper, remain critical, 2024 has exposed vulnerabilities in user behavior and emerging attack vectors leveraging artificial intelligence (AI). As MaaS economies flourish, only layered ...
2 months ago Cybersecuritynews.com
macOS Malware Campaign Showcases Novel Delivery Technique - Security researchers have sounded the alarm on a new cyberattack campaign using cracked copies of popular software products to distribute a backdoor to macOS users. What makes the campaign different from numerous others that have employed a similar ...
1 year ago Darkreading.com
Russian Sandworm Group Using Novel Backdoor to Target Ukraine - Russian nation-state group Sandworm is believed to be utilizing a novel backdoor to target organizations in Ukraine and other Eastern and Central European countries, according to WithSecure researchers. The previously unreported backdoor, dubbed ...
1 year ago Infosecurity-magazine.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
New Stealthy NodeJS Backdoor Infects Users via CAPTCHA Verifications - This campaign represents a growing trend of threat actors exploiting seemingly legitimate security measures to distribute malicious code, targeting users who are accustomed to completing CAPTCHA challenges during their regular online activities. When ...
3 months ago Cybersecuritynews.com
Iran's Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector - In its latest campaign, Iranian state-backed hackers, Peach Sandstorm, employs FalseFont backdoor for intelligence gathering on behalf of the Iranian government. Cybersecurity researchers at Microsoft Threat Intelligence Unit have uncovered the ...
1 year ago Hackread.com
Pro-Hamas Cyberattackers Aim 'Pierogi' Malware at Multiple Mideast Targets - A group of pro-Hamas attackers known as the Gaza Cybergang is using a new variation of the Pierogi++ backdoor malware to launch attacks on Palestinian and Israeli targets. According to research from Sentinel Labs, the backdoor is based on the C++ ...
1 year ago Darkreading.com
Hackers backdoor Russian state, industrial orgs for data theft - Several state and key industrial organizations in Russia were attacked with a custom Go-based backdoor that performs data theft, likely aiding espionage operations. Kaspersky first detected the campaign in June 2023, while in mid-August, the ...
1 year ago Bleepingcomputer.com
Stealthy New macOS Backdoor Hides on Chinese Websites - A sneaky macOS backdoor that allows attackers to remotely control infected machines has been hiding in trojanized applications for the platform that are hosted on Chinese websites. Researchers from Jamf Threat Labs discovered the series of poisoned ...
1 year ago Darkreading.com
New FrigidStealer infostealer infects Macs via fake browser updates - Windows users get an MSI installer that loads Lumma Stealer or DeerStealer, Mac users receive a DMG file that installs the new FrigidStealer malware, and Android users receive an APK file that contains the Marcher banking trojan. FakeUpdate ...
5 months ago Bleepingcomputer.com
Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor - The latest version of the Kazuar backdoor could be more sophisticated than previously imagined, according to Palo Alto Networks. The Kazuar backdoor was used by the Russian hacking group Turla to target the Ukrainian defense sector in July 2023, the ...
1 year ago Infosecurity-magazine.com Turla
Magento supply chain attack compromises hundreds of e-stores - In all observed cases, the extensions include a PHP backdoor added to a license check file (License.php or LicenseApi.php) used by the extension. If the check is successful, the backdoor gives access to other admin functions in the file, ...
3 months ago Bleepingcomputer.com
Microsoft: Iranian hackers target researchers with new MediaPl malware - Microsoft says that a group of Iranian-backed state hackers are targeting high-profile employees of research organizations and universities across Europe and the United States in spearphishing attacks pushing new backdoor malware. The attackers, a ...
1 year ago Bleepingcomputer.com APT3 APT33
Apple Faces New Security Dilemma as Infostealers Execute Stealthy Attacks - There is an increase in the sophistication of info thieves targeting macOS, allowing them to evade Apple's malware protection built into the operating system as these attackers have become better at cracking static signature-detection engines like ...
1 year ago Cysecurity.news
Atomic macOS Stealer Comes With New Backdoor to Enable Remote Access - To avoid detection during analysis, AMOS employs string obfuscation techniques and actively checks for sandbox or virtual machine environments using the system_profiler command, ensuring operational security during deployment and execution phases. ...
1 week ago Cybersecuritynews.com
CVE-2024-47696 - In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs"), the function ...
9 months ago Tenable.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)