Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram - SentinelOne

Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram

Recent weeks have seen a number of macOS-specific infostealers appear for sale in crimeware forums, including Pureland, MacStealer and Amos Atomic Stealer. Of these, Atomic Stealer has offered by far the most complete package, promising cybercriminals a full-featured if not particularly sophisticated infostealer. Atomic can grab account passwords, browser data, session cookies, and crypto wallets, and in the version being advertised on Telegram, threat actors can manage their campaigns through a web interface rented out from the developer for $1000 per month.

The threat actor, however, has been busy looking for other ways to target macOS users with a different version of Atomic Stealer. In this post, we take a closer look at how Atomic Stealer works and describe a previously unreported second variant. We also provide a comprehensive list of indicators to aid threat hunters and security teams defending macOS endpoints.

How is Atomic Stealer Distributed?

Cybercriminals are currently being offered “Amos Atomic MacOS Stealer” via a dedicated Telegram channel. In the channel, which was opened on April 9th, the author offers to rent access to a web panel and provide a disk-image based installer for $1000/month.

Atomic Stealer as advertised on Telegram
Atomic Stealer as advertised on Telegram

Payload distribution is left up to the crimeware actor renting the package, so methods vary, but so far observed samples have been seen masquerading as installers for legitimate applications like the Tor Browser or pretending to offer users cracked versions of popular software including Photoshop CC, Notion, Microsoft Office and others.

Atomic MacStealer masquerades as legitimate applications
Atomic MacStealer masquerades as legitimate applications

Malvertising via Google Ads has also been noted privately among researchers as a distribution vector for Atomic Stealer.

Some Atomic Stealer ITW URLs (Source: VirusTotal)
Some Atomic Stealer ITW URLs (Source: VirusTotal)

The Atomic Stealer channel currently has over 300 subscribers, with some posts – possibly planted – appearing to endorse the efficacy of the malware.

A Telegram message seems to endorse Atomic MacStealer
A Telegram message seems to endorse Atomic MacStealer

A Google translation of the Russian text reads “The build works, the logs go, it robs clearly. Of all the poppy stealers that I used, this one is better in terms of a grabber, and most importantly, grandmas do not steal)”.

Anatomy of Atomic MacOS Stealer Variant A

These fake applications are made with a fork of Appify, a legitimate script that can be found on Github for making a barebones macOS application. All Atomic infostealers currently contain the same Go-based main executable that weighs in at around 51.5MB as a Universal binary targeting both Intel and arm64 architectures.

Anatomy of the Atomic Stealer binary (variant A)
Anatomy of the Atomic Stealer binary (variant A)

Despite the heft, no attempt has been made to deliver a working copy of the spoofed apps. Aside from the Appify README, the Bundle contains nothing more than the Go infostealing binary, an icon file and a Info.plist.

Anatomy of an Atomic Stealer application bundle
Anatomy of an Atomic Stealer application bundle

The application bundles currently being distributed are all built with the default Appify bundle identifier, Appify by Machine Box.My Go Application, potentially a deliberate ploy by the author in the hope that detections might be considered false positives.

Execution Behavior of Variant A

Atomic does not attempt to gain persistence, an increasing trend since Apple added login item notifications in macOS Ventura, relying instead on a one-hit smash and grab methodology.

Atomic Stealer uses a crude but effective means of extracting the user’s login password via AppleScript spoofing.

This involves creating a dialog box with osascript and passing the hidden answer parameter to the display dialog command. These dialog boxes contain an ordinary text field, but the parameter displays the user’s typed characters as dots in the text field similar to a genuine authentication dialog. However, the password remains captured in plain text and can be seen in the system logs as such  – a good reason why legitimate software developers should never use this insecure method to actually obtain user credentials.

display dialog "MacOS wants to access System Preferences

You entered invalid password.

Please enter your password." with title "System Preferences" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns" default answer "" giving up after 30 with hidden answer ¬

The dialog box message contains grammatical and syntactic errors, suggesting the developer’s first language is not English. The dialog box is generated using an infinite loop: Clicking the “Cancel” button simply pops the dialog box again. If the “OK” button is clicked, the malware checks to see that the user entered a valid password via /usr/bin/dscl utility and the -authonly option.

The dialog box repeatedly pops until the correct password is supplied. All of this occurs via the command line utility osascript, so it is easily visible to defenders monitoring command line activity.

SentinelOne console reveals Atomic Stealer command line activity
SentinelOne console reveals Atomic Stealer command line activity

Amos Atomic is hardcoded to throw the user an error message after it has stolen the user’s password and gone about its business of stealing various credentials. Here and elsewhere, the malware author’s lack of familiarity with English and AppleScript provide clues that should raise suspicions: namely, the misspelling of “occurred” and the fact that a genuine error message shouldn’t contain a ‘Cancel’ button.

Amos Atomic throws an error message and quits after successfully stealing user data
Amos Atomic throws an error message and quits after successfully stealing user data

Written in Go, the disassembled source code reveals a comprehensive suite of functions to achieve the infostealers primary aim: financially-motivated cybercrime.

Infostealing functions in Amos Atomic
Infostealing functions in Amos Atomic

The malware contains logic to steal the user’s keychain and crypto wallet contents, including those for Atomic, Binance, Electrum and Exodus. A process called ‘unix1’ is spawned in memory to obtain the keychain. Atomic stealer also targets both Chrome and Firefox browsers and has an extensive hardcoded list of crypto-related browser extensions to attack. A detailed walk through of the functions above has been previously described here.

Atomic Stealer execution chain
Atomic Stealer execution chain

Atomic Stealer Variant B

Pivoting off the IP address seen in some Atomic Stealer samples leads to another variant of the stealer, c70fdf4362eb56032793ab08e6aeb892f1bd4a9b, currently undetected on VirusTotal, masquerading as a Game Installer.

A previously undiscovered variant of Atomic Stealer
A previously undiscovered variant of Atomic Stealer

This version is not distributed in an application bundle, but rather as a raw Go binary. The unsigned “Game Installer” Mach-O was uploaded to VirusTotal on April 13th and is contained in a disk image called “ALMV_launcher”. The DMG mounts with the name “Game Installer” and contains a binary of the same name, displaying an icon showing the text “Start Game”.

Background image of the ALMV_launcher.dmg
Background image of the ALMV_launcher.dmg

As the universal binary is unsigned, it will need to be manipulated by the user on both Intel and arm64 architectures in order to run.

Variant B’s list of Go main functions differs from the version being packaged and sold on Telegram and shows a larger number of functions focusing on Firefox and Chromium browsers. Variant B also targets Coinomi wallets.

Atomic Stealer variant B primary functions
Atomic Stealer variant B primary functions

Both variant A and B utilize the /usr/bin/security utility to find Chrome passwords.

security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}
Atomic Stealer B calls the /usr/bin/security utility to find Chrome passwords
Atomic Stealer B calls the /usr/bin/security utility to find Chrome passwords

In Variant B, the user name “administrator” appears from the development machine; this differs from variant A, which included the username “iluhaboltov”. The string “ATOMIC STEALER COOCKIE” is also found in variant B but not A.

The “ATOMIC STEALER” string is hardcoded into the malware
The “ATOMIC STEALER” string is hardcoded into the malware

Unlike the package offered in the Atomic Telegram channel, this version of Atomic stealer is more selective in the information it tries to steal and seems to be aimed specifically at games and users of cryptocurrency.

An associated Youtube channel by user @Crypto-ALMV was created on April 29th, apparently advertising a product that offers cryptowallet access within a game. The channel, user, and video appear to be in the early stages of development and may indicate a campaign that is yet to be launched.

How to Protect Against Atomic Stealer

SentinelOne customers are protected against all known versions of Atomic Stealer. When the agent is set to ‘Protect’ mode, Atomic Stealer is prevented from executing.

In Detect Only mode, the malware’s execution causes an alert and behavioral and threat indicators are available in the console.

Threat hunters and security teams not protected by SentinelOne are encouraged to review the list of Indicators of Compromise provided at the end of this post.


Infostealers targeted at Mac users have become increasingly viable for threat actors now that Macs have reached widespread use in organizations, both for work and personal use. As many Mac devices lack good external security tools that can provide both visibility and protection, there is plenty of opportunity for threat actors to develop and market tools to aid cybercriminals.

Atomic Stealer’s advertised price suggests there is money to be made by “selling shovels” as cybercrime actors rush for the ‘Gold’ of data that can be harvested by tricking users into running untrustworthy software. However, the existence of a second variant that appears to be aimed at infecting users first-hand suggests the threat actor isn’t averse to a bit of gold digging, too.

Indicators of Compromise


SHA1 Variant A DMG

SHA1 Variant A Mach-O 

SHA1 Variant B DMG

SHA1 Variant B Mach-O