New Backdoor Enhances Atomic macOS Info-Stealer’s Ability to Maintain Persistence

In a significant escalation of macOS cybersecurity threats, the notorious Atomic macOS Stealer (AMOS) has received a dangerous upgrade. For the first time, it is being deployed with an embedded backdoor.

Moonlock, the cybersecurity division of MacPaw, warns that this is the most sophisticated and persistent version of AMOS ever observed, with campaigns now spanning over 120 countries, including high-impact regions such as the United States, France, Italy, the UK, and Canada.

From Smash-and-Grab to Long-Term Occupation

Previously, AMOS focused on exfiltrating sensitive data from cryptocurrency browser extensions, cold wallets, and general user credentials. Now, the addition of a persistent backdoor marks a technical and strategic leap.

Once a Mac is infected, often through spear phishing or trojanized software downloads, the malware not only harvests passwords and wallet seeds but also installs components that grant attackers ongoing remote access.

The technical infection chain begins with a trojanized DMG installer containing a Mach-O binary and a bash wrapper script.

After bypassing macOS Gatekeeper protections, the malware executes AppleScript routines to move the malicious binary into the system, adjust permissions, and launch the payload.

The core stealer exfiltrates data, while the new backdoor establishes long-term persistence through a combination of hidden scripts (.agent and .helper) and launch daemons configured to survive reboots.

A unique addition is the use of a LaunchDaemon PLIST named com.finder.helper that re-launches the .agent script at every startup, which in turn keeps the backdoor alive and running as the current user.

Communication with a remote command-and-control (C2) server enables attackers to send tasks to infected Macs every 60 seconds, ranging from executing arbitrary shell commands to full self-removal.

Technical Deep Dive: How the Backdoor Works

The backdoor is delivered as a disguised second-stage binary fetched from infrastructure such as isnimitz.com/zxc/app.

The persistent .agent script repeatedly runs the helper binary, and LaunchDaemons ensures the malware survives system reboots with elevated privileges.

Data exfiltration and command polling occur over HTTP using custom headers and POST requests to IPs like 45.94.47.145 and 45.94.47.147.

Attackers assign unique IDs to each infected host, allowing them to maintain granular control over fleets of compromised devices.

The backdoor enables capabilities beyond theft, such as keylogging or installing further payloads, turning Mac computers into long-term espionage platforms.

Stay Vigilant – Protecting Against AMOS

With AMOS now blurring the lines between smash-and-grab info-stealers and persistent backdoors, the risks to macOS users have never been higher.

Experts advise using modern anti-malware solutions, updating software promptly, and remaining vigilant against phishing attempts and suspicious downloads.

As Moonlock Lab continues monitoring AMOS’s evolution, both security professionals and everyday users must step up their defenses against this rising tide of macOS-targeted cybercrime.

Indicators of compromise (IOCs)

Type	Value
IP Address	45.94.47[.]158
IP Address	45.94.47[.]157
IP Address	45.94.47[.]147
URL	http://45.94.47[.]145/contact
URL	http://45.94.47[.]146/contact
URL	http://45.94.47[.]147/api/tasks/rj6LeUfFRSCCK0HeLmXO1w==
URL	http://45.94.47[.]147/api/tasks/FWtP43GDj4l+4RbC1gVxXA==
URL	http://45.94.47[.]147/api/tasks/TD/kwWdt1lsY9Dueve5pig
URL	http://45.94.47[.]147/api/tasks/9QJbEC/EERxAqGvw8V1BZg==