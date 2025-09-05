A new Atomic macOS Stealer (AMOS) campaign is targeting macOS users by disguising the malware as “cracked” versions of legitimate apps, Trend Micro researchers have warned.

The campaign is designed to help cybercriminals overcome recent Apple security improvements, representing “significant tactical adaptation,” the researchers found.

“While macOS Sequoia's enhanced Gatekeeper protections successfully blocked traditional .dmg-based infections, threat actors quickly pivoted to terminal-based installation methods that proved more effective in bypassing security controls,” they noted.

Victims are lured into installing the infostealer via social engineering techniques - either downloading a malicious .dmg installer masquerading as a cracked app or, after being asked to copy and paste commands into the macOS terminal, resembling the fake CAPTCHA technique.

Once installed, AMOS establishes persistence before stealing sensitive data from the victim’s system. This includes credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes and files from common folders.

AMOS’ Infection Chain and Delivery

The Trend Micro report, published on September 4, observed that the attackers attempt to gain initial access to systems through cracked software downloads.

Affected users visited the website haxmac[.]cc several times. This URL hosts several cracked software programs for macOS.