Start / Daily Security Review / The evolution of atomic macos stealer backdoors keyloggers and persistent threats

The Evolution of Atomic macOS Stealer: Backdoors, Keyloggers, and Persistent Threats

45 min • 8 juli 2025

This episode exposes the growing menace of Atomic macOS Stealer (AMOS) — a rapidly evolving malware-as-a-service (MaaS) platform targeting macOS users worldwide. Once seen as a simple data stealer, AMOS has matured into a potent, long-term threat featuring keyloggers, a persistent backdoor, and system-level access, all designed to exfiltrate data and maintain control over compromised systems.

AMOS now enables threat actors to remotely execute commands, spy on users, and re-infect devices even after reboot, thanks to advanced macOS persistence techniques like LaunchDaemons and hidden binary scripts. Its infection chain relies on social engineering, counterfeit applications, and tampered DMG installers — making even savvy Mac users vulnerable.

This episode explores:

AMOS's evolution from stealer to full-platform malware with persistent remote access
Key features of the latest version, including a keylogger and embedded backdoor capable of running arbitrary commands
Real-world attack vectors, such as phishing campaigns, cracked software, poisoned torrents, and fake job ads targeting cryptocurrency holders and freelancers
The use of macOS persistence mechanisms (LaunchDaemons, osascript, ScriptMonitor) and Gatekeeper evasion
Cross-platform development in GoLang, allowing the malware to operate seamlessly across Mac architectures
The global impact, with campaigns spanning over 120 countries and rising infection rates in the U.S., U.K., France, and Canada
How AMOS compares to Cthulhu Stealer and North Korea-aligned tools like RustBucket and macOS BeaverTail
Practical security steps to detect and mitigate AMOS, including IOC monitoring, digital signature verification, and behavioral endpoint defenses

AMOS has rapidly become one of the top three most detected macOS threats, signaling a paradigm shift in Mac-targeted malware. With crypto wallets, browser data, and personal credentials at risk, this episode is essential listening for anyone in cybersecurity, IT, or using Macs in high-risk industries.

Senaste avsnitt

Cloud Computing Heist: $3.5 Million Fraud Leads to Prison for Fake Crypto Influencer

19 augusti | 48 min

Embassy Espionage: Kimsuky and Suspected Chinese Partners Deploy XenoRAT in Seoul

19 augusti | 65 min

GSMA Confirms Flaws: Researchers Unveil Dangerous 5G Sniffing and Injection Attack

19 augusti | 51 min

SAP NetWeaver Under Siege: New Exploit Chains Threaten Global Enterprises

19 augusti | 45 min

Ransomware Gangs Deploy Kernel-Level EDR Killers to Evade Detection

19 augusti | 35 min

The Evolution of Atomic macOS Stealer: Backdoors, Keyloggers, and Persistent Threats

Senaste avsnitt

Cloud Computing Heist: $3.5 Million Fraud Leads to Prison for Fake Crypto Influencer

Embassy Espionage: Kimsuky and Suspected Chinese Partners Deploy XenoRAT in Seoul

GSMA Confirms Flaws: Researchers Unveil Dangerous 5G Sniffing and Injection Attack

SAP NetWeaver Under Siege: New Exploit Chains Threaten Global Enterprises

Ransomware Gangs Deploy Kernel-Level EDR Killers to Evade Detection

Chinese APTs Target Taiwan: UAT-7237’s SoundBill Loader and Gelsemium’s FireWood Backdoor

Colt Cyberattack: Multi-Day Outages After WarLock Ransomware Exploited SharePoint Zero-Day

Workday Breach Tied to Third-Party CRM Hack in ShinyHunters Campaign

DOJ Brings Down Zeppelin Ransomware Operator, Seizes Millions in Crypto

U.S. Sanctions Grinex, the Russian Crypto Exchange Born from Garantex’s Ashes

Canadian House of Commons Breach Tied to Microsoft SharePoint Zero-Day

Norwegian Authorities Blame Pro-Russian Hackers for Critical Infrastructure Breach

MadeYouReset: New HTTP/2 Flaw Could Unleash Massive DDoS Storms

Cybersecurity Budgets Hit Historic Slowdown as Global Tensions Mount

CVE-2025-53786: The Microsoft Exchange Hybrid Flaw That Could Take Down Your Domain

Allianz Life Breach: 2.8 Million Records Leaked in Salesforce Hack

Charon Ransomware Targets Middle East Government and Aviation Sectors

August 2025 Patch Tuesday: Microsoft and Adobe Fix Over 170 Security Flaws

RansomHub Hits Michigan’s Manpower — Data Breach Exposes 140,000 Individuals

Security Firms Warn GPT-5 Is Wide Open to Jailbreaks and Prompt Attacks

Germany’s Top Court Limits Police Spyware to Serious Crimes Only

BadCam: Lenovo Webcam Flaw Turns Everyday Cameras into Remote BadUSB Attack Tools

Free Wi-Fi Loophole Lets Hackers Breach Smart Bus Control Systems

ReVault: Critical Dell Firmware Flaws Allow Windows Login Bypass and Persistent Implants

Air France–KLM Data Breach Exposes Customer Info via Compromised Third-Party Platform

Critical Flaws in CyberArk Conjur and HashiCorp Vault Put Enterprise Secrets at Risk

Prompt Injection Nightmare: Critical AI Vulnerabilities in ChatGPT, Copilot, Gemini & More

From Google to LVMH: ShinyHunters’ Salesforce Breaches Spark Global Ransom Crisis

Cisco Hit by Vishing Attack: CRM Breach Exposes Millions of User Profiles

Ox Security Unveils Agent Ox: AI Tool That Writes Tailored Fixes for Software Vulnerabilities

Meta Deletes 6.8 Million Scam Accounts as AI-Powered Fraud Rings Exploit WhatsApp

Meta Found Liable: Jury Rules Against Tech Giant in Flo Health Privacy Case

TSMC Insider Threat: Six Arrested in Taiwan Over 2nm Chip Trade Secrets

Approov Secures £5M to Fortify Mobile App and API Security Against AI-Driven Threats

Pwn2Own Ireland 2025: $1M WhatsApp Exploit Bounty Raises the Stakes

Nvidia Triton Inference Server Vulnerabilities Expose AI Infrastructure to Attack

CISA & FEMA Release $100M in Cybersecurity Grants to Strengthen State, Local, and Tribal Defenses

AI Jailbreaks on the Rise: How Hackers Are Extracting Training Data from LLMs

350,000 Patient Records Exposed: Inside the Northwest Radiologists Data Breach

Critical Honeywell Experion PKS Vulnerabilities Threaten Global Industrial Control Systems

Auto-Color Linux Malware Exploits SAP Zero-Day CVE-2025-31324

Inside the July 2025 PyPI Phishing Scam: How Hackers Stole Developer Credentials

IoT Security Crisis: Dahua Smart Camera Vulnerabilities Expose Surveillance Systems

Dropzone AI Secures $37M to Tackle Alert Fatigue with Autonomous SOC Analysts

Axonius Buys Cynerio for $100M+: Closing Healthcare’s Biggest Cybersecurity Blind Spot

Critical Lenovo Firmware Flaws Expose Millions to Persistent UEFI Attacks

Promptfoo Secures $18.4M to Combat AI Security Threats in Generative AI

1.1 Million Private Messages Leaked: Inside the Tea App Privacy Disaster

Job Scams, Corporate Espionage, and Digital Deception: Inside the Deepfake Crisis

Microsoft Exposes Major macOS Flaws in Transparency, Consent, and Control

Aeroflot in Chaos: How Hackers Crippled Russia’s Flagship Airline

Neferpitou Claims Cyberattack on French Naval Defense Giant

Root Evidence Launches With $12.5M to Redefine Vulnerability Management

NASCAR Hit by Medusa Ransomware: 1TB of Data Stolen in April 2025 Cyberattack

Scattered Spider Strikes Again: Inside the VMware ESXi Ransomware Tactics

Koske Malware Hides in Panda Images, Weaponizes AI to Target Linux

Operation Checkmate: BlackSuit Ransomware’s Dark Web Sites Seized

Coyote Malware Exploits Microsoft UI Automation in First-Ever Wild Attack

No Fix Coming: Remote Code Execution Flaw in 1,300 LG Security Cameras

ToolShell Exploited: China-Linked Hackers Breach NNSA and U.S. Government Networks

Massive NPM Breach: Malicious Packages Spread via Compromised Maintainer Accounts

Clorox Sues Cognizant Over $356M Cyberattack: Who's Really to Blame?

HeroDevs Secures $125M to Extend Life of Critical Open Source Software

UK Moves to Ban Ransomware Payments for Public Sector and Critical Infrastructure

New SysAid Vulnerabilities Added to CISA’s KEV List: XXE Flaws Could Enable RCE

Lumma Stealer Returns: Malware-as-a-Service Resurges After Global Takedown

Cisco ISE Critical Flaws Now Actively Exploited: No Workarounds, Just Root Access

ToolShell: SharePoint Zero-Day Chain Gives Hackers Full Remote Access

CVE-2025-54309: CrushFTP Zero-Day Exploited in Global Admin Access Attacks

Dell Breach by World Leaks: Extortion Attempt Hits Demo Platform

Critical VPN Vulnerability: ExpressVPN Exposed IPs via RDP Misrouting

Dior Data Breach Exposes U.S. Customer Info in LVMH Vendor Attack

StrongestLayer Raises $5.2M to Fight AI-Powered Phishing with TRACE

750,000 Records Exposed: Inside the TADTS Data Breach by BianLian

SS7 Is Still Broken: How Surveillance Firms Are Bypassing Telco Defenses

The UNFI Cyberattack: How Hackers Disrupted the U.S. Food Supply Chain

Zuckerberg on Trial: The $8 Billion Data Privacy Reckoning

Operation Eastwood: Inside the Takedown of NoName057(16)