The Reveal Platform
Intel Name: An mdr analysis of the amos stealer campaign targeting macos via ‘cracked’ apps
Date of Scan: September 5, 2025
Impact: Medium
Summary: Research has uncovered an AMOS (Atomic macOS Stealer) campaign targeting macOS users by disguising malware as “cracked” apps and tricking users into running malicious Terminal commands to bypass Gatekeeper. AMOS steals a wide range of sensitive data—including credentials, browser info, crypto wallets, keychain items, Telegram chats, and Apple Notes—posing serious risks like credential stuffing, financial theft, and deeper enterprise intrusions. Its use of rotating domains helps evade detection, and as macOS gains ground in enterprise environments, organizations must strengthen defenses through user education, endpoint monitoring, and network visibility.
