▲ 9 r/Malware
Atomic Stealer (AMOS) macOS Malware Decryption, Anti-VM, Hardware Wallet Trojanization & Persistent Backdoor
Picked up a low-VT AMOS sample on March 12 worth flagging. Aligns with the recent malext variants but layers a few things we haven't seen combined before:
- Custom multi-stage decryption (hex → ASCII → base64 via custom hash table) serving obfuscated osascript payloads at runtime — static analysis gets you almost nothing
- Anti-VM via
system_profilerchecking for QEMU/VMware/KVM processor strings and known sandbox hardware serials, run twice before payload delivery - Payload written to
/bin/zshchild process iteratively viawrite()loop — no plaintext payload on disk - 300+ crypto extension IDs targeted + full desktop wallet scraping
- Hardware wallet trojanization — silently replaces Ledger, Trezor, and Exodus with adhoc-signed phishing lookalikes that harvest passwords and seed phrases to
systellis[.]com - Three-layer persistence: root LaunchDaemon (
com.finder.helper) →~/.mainhelperbackdoor pulled from C2 →~/.agentpolling loop that pivots backdoor execution into the active console user's context every second viastat -f "%Su" /dev/console
u/Few-Calligrapher2797 — 13 days ago