The notorious macOS Stealer (AMOS) has undergone a significant evolution, equipping itself with a new persistent backdoor that enables cybercriminals to achieve long-term, remote control over compromised Apple computers.
As detailed by Moonlock Lab, the security research arm of MacPaw, this move transforms AMOS from a conventional infostealer into a sustained national security threat, capable of executing commands and surveilling victims across over 120 countries, including the U.S., U.K., France, Italy, and Canada.
Persistent Backdoor Extends Threat Scope
Previously, AMOS was best known for stealing sensitive data like browser credentials and cryptocurrency wallets.
Now, its new backdoor escalates the threat by allowing attackers to maintain access across device reboots and silently execute commands or deploy further payloads.
Victims are primarily ensnared through spear-phishing, often tailored to cryptocurrency holders and freelancers such as artists, or via websites distributing pirated software.
Attackers masquerade as employers or service providers, convincing victims to install trojanized DMG files under the guise of job application processes that require screen sharing.
This social engineering trick typically involves requesting system passwords, unwittingly granting attackers deep privileges.
Technical Deep Dive: Evasion and Persistence
Once infiltrated, AMOS unleashes a two-pronged stealth mechanism on the victim’s system:
- A hidden binary named
.helperis stashed within the user’s home directory, remaining invisible to most users. - A wrapper script guarantees the continued execution of the malicious process.
To entrench itself at every startup, AMOS deploys a LaunchDaemon labeled com.finder.helper Through AppleScript, leveraging stolen credentials for system-level persistence.
This daemon ensures the malware survives system reboots, an unprecedented step up from past infostealers.
Further complicating detection, the malware communicates with command-and-control (C2) servers via obfuscated HTTP POST requests every 60 seconds, efficiently receiving remote tasks.
The code employs string obfuscation and runs checks for sandbox or virtual machine analysis with Apple’s system_profiler tool, heightening its evasion tactics.
Implications and the Road Ahead
AMOS’s architecture marks a pivotal shift in macOS threats, echoing attack strategies previously seen in North Korean cyber campaigns.
Security researchers, including those at PolySwarm, warn that the malware-as-a-service may soon incorporate keylogging and additional surveillance features.
AMOS’s Russian-speaking authors appear focused on long-haul system compromise, offering attackers a foothold for future operations and lateral movement within networks.
In response to AMOS’s relentless evolution, experts urge macOS users to adopt robust endpoint protections, avoid pirated software, and remain vigilant against phishing attempts.
As AMOS redefines the macOS threat landscape, heightened security awareness remains the first line of defense.
IOCs
8d8b40e87d3011de5b33103df2ed4ec81458b2a2f8807fbb7ffdbc351c7c7b5e
3402883ff6efadf0cc8b7434a0530fb769de5549b0e9510dfdd23bc0689670d6
f4976d9a90d2f9868fcaade1449ffcf9982ed2285ace90aafa7099ce246fd2ec
54b9576aad25d54d703adb9a26feaa5d80f44b94731ff8ecff7cf1ebc15cf3ff
11e55fa23f0303ae949f1f1d7766b79faf0eb77bccb6f976f519a29fe51ce838
ec11fd865c2f502c47f100131f699a5e0589092e722a0820e96bd698364eefdb
 has undergone a significant evolution, equipping itself with a new persistent.){kind=link}