Find notable cyber news and cases, enriched with sources, timelines, and signals.

Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse

Malware Activity
First reported
Last updated
Happening score
H score 31
4 unique sources, 7 articles

Summary

Hide ▲

Atomic MacOS Stealer (AMOS) is being distributed to macOS users through ClickFix-style Terminal prompts that silently download, mount, and launch DMG payloads. In the latest 2026-06 activity, Palo Alto Networks Unit 42 observed victims being steered from a fake CAPTCHA page into running a malicious command that fetched s.01M0td.dmg from svs-verificationdate[.]beer, mounted it with hdiutil, and launched NNApp.app. on Mac devices.

Related Happenings

QuimaRAT cross-platform Java MaaS remote access trojan

Malware Activity
H score29 First: 06.07.2026 11:13 Last: 06.07.2026 11:13 Sources 1

About this happening: A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...

MacOS.Gaslight AI-analysis evasion malware

Malware Activity
H score22 First: 25.06.2026 19:23 Last: 25.06.2026 19:23 Sources 1

About this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...

Gaslight macOS implant with Telegram C2 and prompt-injection payload

Malware Activity
H score29 First: 25.06.2026 12:23 Last: 25.06.2026 12:23 Sources 1

About this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...

Amadey and StealC MaaS ecosystem and affiliate model

Threat Actor Meta
H score73 First: 24.06.2026 18:59 Last: 24.06.2026 18:59 Sources 1

About this happening: The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...

MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel

Malware Activity
H score30 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...

Timeline

  1. 12.02.2026 16:25 8 articles · 4mo ago

    AMOS distribution via AI-app lures and supply-chain abuse

    Technical Analysis Update

    Atomic MacOS Stealer (AMOS) is being distributed to macOS users through AI-app lures, poisoned skill marketplaces, fraudulent GitHub repositories, SEO poisoning, malvertising, and ClickFix-style terminal prompts, with malicious installers and add-ons designed to steal credentials, browser sessions, crypto wallet data, SSH keys, PII, and other sensitive files.

    Show sources