top of page
Search

macOS Just Got a New Malware Nightmare: AMOS Evolves into a Full-Fledged Backdoor Threat

The days of assuming macOS is immune to serious malware are officially over. Atomic macOS Stealer (AMOS), once a run-of-the-mill infostealer targeting crypto wallets and browser data, has quietly transformed into something much more dangerous: a fully weaponized backdoor capable of remote access, persistence, and long-term surveillance.


In its latest update, AMOS is no longer just about smash-and-grab credential theft. It now embeds a sophisticated backdoor directly into infected macOS systems — giving attackers the power to silently linger, execute commands, install keyloggers, and spread deeper into connected networks.


AMOS, originally tied to a Russia-affiliated threat group, has already touched over 120 countries with campaigns targeting high-value Mac users. Now, its upgraded variant ushers in an alarming shift from one-time exfiltration to a model more akin to full-scale occupation.


“The evolution of AMOS into a dual-purpose threat, infostealer plus backdoor, marks a critical escalation in macOS-targeted malware,” said Ensar Seker, CISO at threat intel firm SOCRadar. “What makes this particularly concerning is the shift from quick data theft to long-term persistence and remote control, which dramatically increases the attacker’s dwell time and options. This is no longer just about stealing saved passwords; it’s about full-scale surveillance, data exfiltration, and even lateral movement into connected enterprise environments.”

AMOS now mimics attack strategies long associated with North Korean state hackers, using job interview lures to socially engineer victims into entering system passwords and unknowingly launching malicious payloads. But unlike its DPRK counterparts, which typically go for a rapid exit post-theft, AMOS lingers. Its embedded backdoor sets up launch daemons, creates persistent agents, and constantly checks in with its command-and-control infrastructure — ready to execute new instructions at a moment’s notice.


The technical depth of the malware is equally troubling. AMOS uses AppleScript, custom Mach-O binaries, and obfuscated shell scripts to bypass Gatekeeper and remain hidden from the average user. It even includes sandbox detection logic to avoid analysis and boasts the ability to reinfect via fake versions of popular apps like Ledger Live.


With these capabilities, AMOS isn’t just a threat to individual Mac users — it’s a risk to businesses that rely on macOS endpoints in hybrid environments.


“Given that AMOS is now only the second known backdoor operating at this scale on macOS, following a North Korean state-linked campaign, it signals that macOS is no longer flying under the radar,” Seker warned. “Enterprises with mixed-OS environments need to treat macOS endpoints as equally high risk and ensure EDR coverage, script execution controls, and user behavior monitoring are in place.”

The bigger picture here is not just about AMOS. It’s about how malware-as-a-service (MaaS) operators are starting to treat macOS as fair game, and how security assumptions around Apple’s ecosystem are rapidly eroding.


The message is clear: macOS users — whether individuals or enterprises — can’t afford to be complacent. Because AMOS isn’t just a stealer anymore. It’s a resident. And it’s not leaving quietly.

bottom of page