Atomic Stealer is a stealer targeting macOS, first discovered in 2023. Atomic Stealer (AMOS) is a sophisticated macOS information stealer sold as malware-as-a-service on Telegram for around $1,000/month. It targets browser passwords, cookies, autofill data, cryptocurrency wallets (MetaMask, Coinbase, Phantom, and others), and the macOS Keychain. It uses a fake system password prompt to harvest credentials. CoreLock detects this threat using CoreLock identifies Atomic Stealer through behavioral analysis of fake password prompt injection, YARA signature matching against known AMOS payloads, code signing verification that flags unsigned or ad-hoc signed binaries, and network monitoring that detects exfiltration to Telegram bot endpoints.
Also known as: AMOS, Atomic macOS Stealer
Atomic Stealer (AMOS) is a sophisticated macOS information stealer sold as malware-as-a-service on Telegram for around $1,000/month. It targets browser passwords, cookies, autofill data, cryptocurrency wallets (MetaMask, Coinbase, Phantom, and others), and the macOS Keychain. It uses a fake system password prompt to harvest credentials.
Fake application installers advertised through Google Ads and SEO poisoning
Malicious DMG files disguised as legitimate software like Notion, Photoshop, or Slack
Phishing websites impersonating popular download portals
Telegram channels distributing cracked software
Unexpected system password prompts from unsigned applications
Browser extensions or wallet balances disappearing without explanation
Unknown processes running with names mimicking system services
Outbound connections to suspicious Telegram bot API endpoints
Immediately disconnect your Mac from Wi-Fi or Ethernet to prevent the stealer from exfiltrating additional data to its command-and-control server.
Open Activity Monitor and look for unfamiliar processes with high CPU or network usage. Force-quit any suspicious process you do not recognize.
Drag the fake application from /Applications or ~/Downloads to the Trash. Check ~/Library/LaunchAgents and /Library/LaunchDaemons for persistence plists and remove them.
Reset passwords for every account stored in your browser or Keychain. Enable two-factor authentication on all critical accounts, especially cryptocurrency exchanges.
Perform a deep scan to detect any remaining artifacts, persistence mechanisms, or secondary payloads that may have been dropped by the stealer.
Only download software from official websites or the Mac App Store
Verify code signatures before opening any DMG or installer file
Be skeptical of sponsored search results leading to download pages
Use CoreLock's real-time monitoring to catch unsigned processes immediately
Real-time Detection
CoreLock identifies Atomic Stealer through behavioral analysis of fake password prompt injection, YARA signature matching against known AMOS payloads, code signing verification that flags unsigned or ad-hoc signed binaries, and network monitoring that detects exfiltration to Telegram bot endpoints.
Stealer — Realst is a macOS information stealer written in Rust that targets cryptocurrenc...
Stealer — Banshee Stealer is a macOS information stealer that emerged in mid-2024, initial...
Stealer — MacStealer is a macOS information stealer distributed through Telegram that targ...
Atomic Stealer targets browser passwords, cookies, and autofill data from Chrome, Firefox, Brave, and Edge. It also steals cryptocurrency wallet data, Keychain passwords, and local files matching specific extensions. It uses a fake system dialog to trick you into entering your Mac password.
Look for unexpected password prompts from applications you just installed, missing cryptocurrency balances, unfamiliar browser extensions, or strange processes in Activity Monitor. CoreLock can detect AMOS in seconds with its behavioral analysis engine.
AMOS distributors instruct victims to right-click and Open the DMG, bypassing Gatekeeper's first-launch warning. The malware itself is typically ad-hoc signed or unsigned, which is why code signing verification tools like CoreLock catch it immediately.
Yes. AMOS has been continuously updated since its 2023 debut, with new variants adding support for more wallets and browsers. It remains one of the most prevalent macOS stealers, distributed through an active malware-as-a-service operation on Telegram.
Download CoreLock to detect and remove Atomic Stealer and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows