In the last week of April 2023, it was reported on twitter, that through a telegram channel a new malware was being offered as “Atomic MacOS Stealer”. Many samples of this malware were found on the internet.

Figure 1 – Atomic MacOS Stealer

Most of these samples were masquerading as an installer of various applications like Tor browser, Photoshop CC, Notion, FL studio.

Figure 2 – Amos DMGfiles masquerading as different applications

These are delivered as a DMGfile(Disk Image) which is the common format for software distribution & installation packages on macOS.

We identified the Tor browser DMG file for the analysis. When we execute the DMG file it gets mounted and we can see the resulting window advises the user to  execute the application by right clicking.

Figure 3 – Tor Browser

These fake applications are created by using Appify, which is used to create applications just by having the executable alone. The icons can be customised. That’s why these applications are in different names & having different icons but the same executable.

The contents of the application include a PLIST file, an universal binary which contains both INTEL and ARM executable and an icon. The PLIST file shows this application is made using Appify.

Figure 4 – Contents of the application aka Amos

The universal binary is named as My Go is the default name of the binary when made through Appify), even though it has the extension .app it is just a universal Mach-O binary. 

Figure 5 – My Go Application

The application is an unsigned one. The executable is identified as a Go lang based binary.

Figure 6 – Go Lang binary

Below is the section wise size of the binary. It has 3 segments and 20 sections within it.

Figure 7 – Segments and sections

The functions below indicates that it is an info stealer looking for documents, wallets, keychain details, browser and sends it to a C2.

Figure 8 – Stealer functions of Amos

The list of browser data for which it checks the machine are Chrome, Brave, Edge, Vivaldi, Yandex, Opera and Opera GX.

Figure 9 – Targeting browsers

It also looks for cryptocurrency wallets like Electrum, Coinomi, Exodus and Atomic to extract information.

Figure 10 – Targeting wallets

When the application is executed it requests for the machine’s password showing a genuine looking request from  system preferences using Osascript.

Figure 11 – Asking user’s password

If we enter nothing for 30 seconds, the empty string will be considered as the default answer and show that we entered an invalid password. The dialog box will keep on popping until the user gives the valid password.

Figure 12 – Osascript used to generate the dialog box

The password is validated using DSCLwith ‘authonly’ flag. DSCL is a command line utility to access and manipulate the directory services databases which store information about the users, groups, and accounts on a system.

Figure 13 – DSCL used to verify the password

Once the password is valid, it executes the above functions we have seen and exfiltrate the data. But before that it drops an executable file ‘unix1’ in the root of the local user directory. The keychain information exfiltration happens through this unix1 binary.

Figure 14 – Unix1 getting dropped in User’s directory

It also would ask permission from the user to access .txt documents from Desktop and Documents folders.

Figure 15 – Accessing desktop and documents folder

Below is the process tree of this stealer.

Figure 16 – Process Tree of AMOS

After the exfiltration, the malware compresses using ZIP and sends it using POST request to its C2. The data is also Base64 encoded.

Figure 17 – POST request to its C2 (

This stealer is also advertised on, where the used language is Russian.

Figure 18 – has ad about AMOS

In this site, the capabilities of the stealer and the details about how to get the malware through telegram are mentioned. 

Figure 19 – AMOS capabilities

It mentions – “You get access to the Panel and the bot, tell us your Telegram ID and build name [Build ID]. We will give you a build!” probably after the payment(which is $1000 for 31 days).

Figure 20 – Telegram information on how to get the malware

Threat actors targeting macOS users are increasing everyday. So, as a user, one needs to be cautious when executing unknown executables. Users are requested to use a reputable security product such as “K7 Antivirus for Mac” and to keep it updated so as to stay safe from such threats.

Also you can find information on these stealers here and also here.


Hash : 6b74d3c2e48721286697f941864536c0

C2 :

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “AMOS (MacOS Stealer)”