Request a Demo
Rewterz
Hackers Abuse WordPress ClickFix to Drop RAT – Active IOCs
July 8, 2025
Rewterz
macOS SMBClient Bug Enables RCE and Kernel Crash
July 8, 2025

Atomic Stealer Upgraded With Persistent Backdoor – Active IOCs

Severity

High

Analysis Summary

The Atomic macOS Stealer (AMOS), a known Russia-affiliated malware, has undergone a major upgrade, transforming it from a basic information stealer into a powerful backdoor capable of persistent control over infected macOS systems. This marks a critical shift in the threat landscape for Mac users, as it’s only the second known case of such sophisticated backdoor deployment at scale, previously seen only in operations attributed to North Korean threat actors. The updated AMOS enables attackers to execute remote commands, maintain long-term access, and compromise systems far beyond initial data theft, with widespread campaigns already reported in over 120 countries, including the U.S., U.K., France, Canada, and Italy.

According to the Researcher, the upgraded AMOS leverages two primary attack vectors: cracked or fake software distributed through malicious websites, and spear-phishing campaigns. The latter particularly targets high-value individuals like freelancers and cryptocurrency holders by impersonating staged job interviews. Victims are tricked into providing system credentials under the guise of screen-sharing requests. Once executed, the malware evades Apple’s Gatekeeper protections through a layered execution chain involving trojanized DMG files, bash scripts, and malicious Terminal aliases, allowing for stealthy installation and persistence.

The backdoor communicates with command-and-control servers at IP addresses 45.94.47.145 and 45.94.47.147, sending periodic HTTP POST requests every 60 seconds to receive commands. It installs a LaunchDaemon labeled “com.finder.helper” to ensure it survives system reboots, and hides operational components under filenames like “.helper” and “.agent.” Unlike typical smash-and-grab theft operations by groups like Lazarus, AMOS focuses on maintaining long-term covert access, potentially allowing attackers to surveil, manipulate, or exfiltrate sensitive data over extended periods.

Security experts have noted a spike in unique AMOS binary samples since early 2024, reflecting active development and wider deployment of this malware through the malware-as-a-service (MaaS) model. As the threat evolves, Mac users are urged to adopt layered defense strategies, including anti-malware tools, cautious interaction with unsolicited offers or job interviews, and limiting personal data exposure online. Cybersecurity researchers, are closely monitoring AMOS's evolution and continue to share intelligence to help organizations defend against this increasingly dangerous macOS threat.

Impact

  • Sensitive Data Theft
  • Crypto Theft
  • Gain Access
  • Financial Loss

Indicators of Compromise

IP

  • 45.94.47.158

  • 45.94.47.157

  • 45.94.47.146

  • 45.94.47.147

  • 45.94.47.145

MD5

  • 53c2e47e41fccd101da2459892f9c33b

  • 58415d7b6686b0bdf7b0e811511f4e81

  • 59d5cd7e4a50f4dadf226e2973d04a72

  • a79d09c2450b4b18ad0868911937eac2

SHA-256

  • ec11fd865c2f502c47f100131f699a5e0589092e722a0820e96bd698364eefdb

  • 11e55fa23f0303ae949f1f1d7766b79faf0eb77bccb6f976f519a29fe51ce838

  • 8d8b40e87d3011de5b33103df2ed4ec81458b2a2f8807fbb7ffdbc351c7c7b5e

  • 3402883ff6efadf0cc8b7434a0530fb769de5549b0e9510dfdd23bc0689670d6

SHA1

  • d6c01cddc711fd17cc7687ba4b214769cf9b7d6b

  • e8b5f25fc185e594847d7e0963089fb5643392ce

  • 1310b7525b5887ae708c720264ca758ab2d07a64

  • 29416b38e7cd6a6aae40b629cfc3e25f4dca6e25

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Isolate and determine if forensic analysis needs to be performed. If it does, a forensic image (preservation copy) should be created for analysis to determine the scope of potential data at risk and the extent of threat actor activity. If not, proceed with internal/existing IT processes to restore to "gold image" (baseline).
  • Conduct a forensic analysis of the "at risk" data as identified within this article under Critical Takeaways section under "The extension accessed the following browser data:", which details specifically what data elements may be at risk and should be considered for inventorying, resetting, and for a potential follow-on investigation into unauthorized or unexpected activity.
  • Reset credentials associated with affected user accounts, especially those with administrative access.
  • Block-identified IOCs (domains, IPs, hashes) across endpoints, networks, and other security appliances.
  • Reimage the infected system to ensure full eradication.
  • Educate users on recognizing suspicious activity and phishing attempts to reduce the risk of reinfection.