A piece of Mac malware called Atomic Stealer is becoming smarter and more dangerous. It’s no longer just about stealing passwords; it’s evolving into a full-blown trojan that can cause much more damage.
What Is Atomic Stealer?
Atomic Stealer, often referred to as AMOS, emerged in 2023 as a typical infostealer. This type of malware is designed to quietly collect saved passwords, credit card numbers, browser cookies, and crypto wallet information before sending it to an attacker. It specifically targeted Mac users, which is a big deal since Mac malware has typically been less common than what we see on Windows.
Initially, it focused on one task: infiltrate, collect data, and exit. However, security researchers discussed on the latest 9to5Mac Security Bite podcast that Atomic Stealer has evolved beyond being a simple smash-and-grab tool.
What’s Changed: The Trojan Crossover
The malware now shows behaviors typical of trojans. These are malicious programs that disguise themselves as legitimate software, allowing them to maintain a persistent presence on your device. This shift is significant. An infostealer acts like a burglar who breaks in, takes your valuables, and leaves. A trojan, on the other hand, is more like someone who quietly moves into your walls and keeps watching.
Recent versions of Atomic Stealer can:
- Remain installed on infected Macs, even after a restart
- Download and execute additional malicious payloads after the initial infection
- Broaden the attack surface beyond just stealing credentials
This evolution raises alarms for security researchers. When malware starts combining capabilities, it becomes tougher to detect and remove, increasing the potential for widespread damage.
How Is It Getting Onto Macs?
Atomic Stealer mainly spreads through malvertising. These are malicious ads appearing in search results, often pretending to be popular software downloads. Researchers have spotted fake ads for applications like Arc Browser, Notion, and various productivity tools leading users to download infected installers.
The malware also spreads via cracked software—pirated apps found on dubious download sites. If someone looks for a free version of a paid app and downloads it from an unofficial source, they might unknowingly install Atomic Stealer.
Once installed, the malware tricks users into entering their macOS password through a fake system prompt. Most people enter it without a second thought, giving the attacker full access.
Why Macs Aren’t as Safe as People Think
Many people still believe Macs don’t get viruses. That’s never fully true, and it’s becoming increasingly misleading. Apple’s built-in protections, like Gatekeeper and XProtect, do catch many threats. But they aren’t foolproof, especially against new variants that haven’t been cataloged yet.
Atomic Stealer is designed to evade Gatekeeper, often appearing as a signed or notarized app that passes Apple’s initial checks. By the time Apple updates XProtect signatures to detect a new variant, thousands of users may already be infected.
| First Detected | Early 2023 |
|---|---|
| Original Function | Infostealer (credentials, crypto wallets, browser data) |
| Rental Cost on Dark Web | ~$1,000/month (as of initial discovery) |
| Primary Delivery Method | Malicious ads in search results (malvertising) |
| New Capability | Trojan-style persistence and payload delivery |
| Target Platform | macOS |
What This Means for You
If you’re using a Mac and think you’re automatically safe, now’s a good time to reconsider that assumption. The shift towards trojan behavior means an infection could linger on your machine, updating itself or installing new tools long after the initial breach. You might not notice anything wrong until your bank account is drained or your accounts are compromised.
Here are some practical steps you should take:
- Only download software from the Mac App Store or official developer websites. If you find an app through a sponsored result, double-check the URL before downloading.
- Never enter your macOS password into a dialog that pops up during installation unless you’re completely sure the software is legitimate.
- Consider a third-party malware scanner like Malwarebytes for Mac. It can catch threats that Apple’s built-in tools might miss.
- Avoid pirated software altogether. The short-term savings aren’t worth the risk.
Community Reaction
“This is exactly why I stopped using cracked apps years ago. The second AMOS started showing up in fake Arc Browser downloads, I knew things were getting serious.”
“The fake password prompt trick is so effective because macOS literally asks for your password all the time for legit things. Users are conditioned to just type it in.”
What To Watch
- Apple’s XProtect updates: Keep an eye out for Apple rolling out signature updates that address the trojan-behavior variants of Atomic Stealer. These updates happen silently but can be tracked through security community blogs.
- macOS 26 / Tahoe security changes: With Apple releasing betas (including macOS 26.5 Beta 2 this week), any new OS-level protections against persistent malware will be important to monitor before the fall release.
- Malvertising campaigns: Security researchers expect these fake-app ad campaigns to ramp up. If a new popular app launches and you see search ads for it, approach those ads with extra caution in the first few weeks.
Sources: 9to5Mac Security Bite Podcast | TechCrunch
Maya Torres
Maya Torres is the Consumer Tech Editor at Explosion.com with 7 years covering product launches for major technology publications. She has reviewed over 300 devices across smartphones, laptops, wearables, and smart home products. Maya specializes in translating spec sheets into real-world buying advice and attends CES, MWC, and Apple keynotes as press. Her reviews focus on helping readers decide what to buy, not just what specs look good on paper.
