Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
Summary
Hide ▲
Show ▼
Atomic MacOS Stealer (AMOS) is being distributed to macOS users through ClickFix-style Terminal prompts that silently download, mount, and launch DMG payloads. In the latest 2026-06 activity, Palo Alto Networks Unit 42 observed victims being steered from a fake CAPTCHA page into running a malicious command that fetched s.01M0td.dmg from svs-verificationdate[.]beer, mounted it with hdiutil, and launched NNApp.app. on Mac devices.
Related Happenings
QuimaRAT cross-platform Java MaaS remote access trojan
Malware Activity
H score29
First: 06.07.2026 11:13
Last: 06.07.2026 11:13
Sources 1
About this happening:
A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...
QuimaRAT cross-platform Java MaaS remote access trojan
Malware ActivityAbout this happening: A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...
MacOS.Gaslight AI-analysis evasion malware
Malware Activity
H score22
First: 25.06.2026 19:23
Last: 25.06.2026 19:23
Sources 1
About this happening:
The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...
MacOS.Gaslight AI-analysis evasion malware
Malware ActivityAbout this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware Activity
H score29
First: 25.06.2026 12:23
Last: 25.06.2026 12:23
Sources 1
About this happening:
A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware ActivityAbout this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
Amadey and StealC MaaS ecosystem and affiliate model
Threat Actor Meta
H score73
First: 24.06.2026 18:59
Last: 24.06.2026 18:59
Sources 1
About this happening:
The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...
Amadey and StealC MaaS ecosystem and affiliate model
Threat Actor MetaAbout this happening: The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
H score30
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware ActivityAbout this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
Timeline
-
12.02.2026 16:25 8 articles · 4mo ago
AMOS distribution via AI-app lures and supply-chain abuse
Technical Analysis UpdateAtomic MacOS Stealer (AMOS) is being distributed to macOS users through AI-app lures, poisoned skill marketplaces, fraudulent GitHub repositories, SEO poisoning, malvertising, and ClickFix-style terminal prompts, with malicious installers and add-ons designed to steal credentials, browser sessions, crypto wallet data, SSH keys, PII, and other sensitive files.
Show sources
- AMOS infostealer targets macOS through a popular AI app — www.bleepingcomputer.com — 12.02.2026 16:25
- AMOS infostealer targets macOS through a popular AI app — www.bleepingcomputer.com — 12.02.2026 16:25
- Bing AI promoted fake OpenClaw GitHub repo pushing info-stealing malware — www.bleepingcomputer.com — 06.03.2026 00:37
- LastPass: Fake password managers infect Mac users with malware — www.bleepingcomputer.com — 22.09.2025 18:36
- Attackers Use Phony GitHub Pages to Deliver Mac Malware — www.darkreading.com — 22.09.2025 22:44
- VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages — thehackernews.com — 05.09.2025 09:13
- New macOS ClickFix attack silently mounts DMGs to push infostealer — www.bleepingcomputer.com — 23.06.2026 21:30
- ClickFix Now Cybercriminals' Favorite Malware Delivery Technique — www.infosecurity-magazine.com — 30.06.2026 15:00