Redazione RHC : 14 July 2025 07:02
Researchers have discovered a new version of the Atomic Stealer malware for macOS (also known as AMOS). The malware now has a backdoor that allows access to hacked systems. MacPaw experts investigated the Atomic backdoor after receiving information from independent cybersecurity researcher g0njxa. They write that the new component allows arbitrary command execution, “survives” after reboot, and allows for unlimited control over infected hosts.
“AMOS distribution campaigns have already reached more than 120 countries, with the US, France, Italy, the UK, and Canada being the most affected,” the researchers said. “The backdoored version of Atomic allows full access to thousands of Mac devices worldwide.”Atomic was first documented in April 2023. It is a MaaS (Malware-as-a-Service) threat distributed in Telegram channels. The subscription costs $1,000 per month. This malware aims to steal macOS files, cryptocurrency extension data, and user passwords stored in browsers.
In November 2023, the stealer was used as part of the ClearFake malware campaign, and in September 2024, it was used by the Marko Polo hacker group in a large-scale campaign targeting Apple computers. Analysts at Moonlock report that Atomic’s operators have recently changed their strategy. The malware is now distributed not via fake pirated software websites, but through targeted phishing attacks targeting cryptocurrency holders, as well as fake job invitations.
The new version of the malware has a built-in backdoor, uses LaunchDaemons to “survive” after a macOS reboot, tracks victims via unique IDs, and is controlled by a new infrastructure. According to researchers, the backdoor’s main executable file is a .helper binary, which is downloaded and saved as a hidden file in the victim’s home directory after infection.
The hidden wrapper script .agent runs .helper in a loop on behalf of the current user. To ensure that .agent runs at system startup, the LaunchDaemon file named com.finder.helper is added via AppleScript. This all happens with elevated privileges: the malware steals the user’s password during the infection phase. It can then execute commands and change the owner of the LaunchDaemon PLIST file to root:wheel.
The integrated backdoor allows attackers to remotely execute commands, intercept keystrokes, inject additional payloads, or explore lateral movement capabilities. To avoid detection, the backdoor checks for the presence of a sandbox or virtual machine using system_profiler and also uses string obfuscation.
Redazione