Skip to content
Close Menu

    Subscribe to Updates

    Get the latest news from tastytech.

    What's Hot

    South Sudan, 15 years on: Still fighting for peace | News

    July 9, 2026

    Speculative Decoding for 400% Faster LLMs

    July 9, 2026

    I can’t get Netflix to run smoothly in my house — but NASA just sent a 4K video stream from the Moon, thanks to AWS

    July 9, 2026
    Facebook X (Twitter) Instagram
    Facebook X (Twitter) Instagram
    tastytech.intastytech.in
    Subscribe
    • AI News & Trends
    • Tech News
    • AI Tools
    • Business & Startups
    • Guides & Tutorials
    • Tech Reviews
    • Automobiles
    • Gaming
    • movies
    tastytech.intastytech.in
    Home»Tech Reviews»AMOS macOS malware spreads through simple terminal tricks while security vendors debate whether its threat is actually new
    AMOS macOS malware spreads through simple terminal tricks while security vendors debate whether its threat is actually new
    Tech Reviews

    AMOS macOS malware spreads through simple terminal tricks while security vendors debate whether its threat is actually new

    gvfx00@gmail.comBy gvfx00@gmail.comMay 24, 2026No Comments3 Mins Read
    Share
    Facebook Twitter LinkedIn Pinterest Email



    • AMOS relies on users executing malicious terminal commands themselves
    • Sophos MDR identified ClickFix-style social engineering in macOS attacks
    • Half of macOS stealer reports involved AMOS, but Apple is fighting back

    Atomic macOS Stealer, also known as AMOS, is a persistent macOS security threat because it does not need sophisticated zero-day vulnerabilities to compromise Apple devices.

    Instead, this malware family repeatedly exploits ordinary user behaviour by tricking users into typing a single command into their own Terminal application.

    A recent incident investigated by Sophos MDR teams revealed exactly this pattern: a ClickFix-style ruse persuaded a victim to execute a malicious line of code manually.

    Latest Videos From

    You may like

    Table of Contents

    Toggle
    • AMOS uses psychological manipulation over technical exploits
    • How the malware harvests passwords and data
      • Related posts:
    • New attack provides one more reason why AI browsers are a bad idea
    • Nvidia's $100 billion OpenAI deal has seemingly vanished
    • Global copper demand is exploding as electrification and tech infrastructure push production to its ...

    AMOS uses psychological manipulation over technical exploits

    This approach has become increasingly prominent, with researchers noting similar social engineering tactics in multiple macOS infostealer campaigns throughout 2025 and early 2026.

    AMOS accounted for nearly 40% of all macOS protection updates deployed by Sophos in 2025, more than doubling the detection rate of any other macOS malware family during the same period.

    Furthermore, almost half of all macOS stealer customer reports in the last three months involved AMOS or its close variants.

    Security firms have tracked this malware-as-a-service operation since at least April 2023, with notable campaigns including a variant dubbed SHAMOS reported by CrowdStrike in August 2025.

    Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

    In December 2025, Huntress documented infections spreading through poisoned search results related to ChatGPT and Grok conversations.

    How the malware harvests passwords and data

    After the initial Terminal command executes a bootstrapping script, the malware immediately prompts the user for their macOS system password.

    The malicious code then validates this credential locally using a simple directory services command before storing it in a hidden file named .pass within the user’s home directory.


    What to read next

    Once the password is secured, AMOS downloads a secondary payload that removes extended attributes to bypass macOS security warnings.

    The stealer also checks whether it is running inside a virtual machine or sandbox environment by querying system_profiler data for indicators such as QEMU, VMware, or KVM.

    The malware then proceeds to harvest an extensive range of sensitive information, including the macOS Keychain database, browser credentials from Firefox and Chrome, extension storage files, and local session tokens.

    Some variants also deploy fake Ledger Wallet and Trezor Suite applications designed to steal cryptocurrency wallet seeds and credentials.

    All collected files are compressed into a single archive using the ditto utility before being transmitted to attacker-controlled servers via curl POST requests.

    To maintain long-term access, the malware installs a LaunchDaemon that ensures automatic execution after every system reboot.

    Despite the severity of AMOS, it is worth questioning whether security vendors are overstating its novelty, given that infostealers have been targeting Windows systems for nearly two decades.

    The malware’s heavy reliance on user consent — someone must willingly paste and run a Terminal command — creates a significant barrier that technically literate users might easily avoid.

    Moreover, Apple’s ongoing improvements to Gatekeeper, XProtect, and notarization requirements could render AMOS largely ineffective within a few operating system updates.

    The real danger may lie less in AMOS itself and more in the uncomfortable truth that no platform is immune to users who ignore basic security warnings.


    Google logo on a black background next to text reading 'Click to follow TechRadar'

    Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.


    Related posts:

    Patriots vs. Seahawks time, where to watch and more

    Best Portable SSDs: 2025's Top 5 Collection

    Today's NYT Mini Crossword Answers for April 11

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleLegends, Vampire Survivors, Simon’s Cat, and More – TouchArcade
    Next Article Secret Service fatally shoots gunman who fired at White House checkpoint | News
    gvfx00@gmail.com
    • Website

    Related Posts

    Tech Reviews

    I can’t get Netflix to run smoothly in my house — but NASA just sent a 4K video stream from the Moon, thanks to AWS

    July 9, 2026
    Tech Reviews

    US rare earths flow to Asia as domestic demand is slow to emerge

    July 8, 2026
    Tech Reviews

    DuckDuckGo Browser Can Now Block Video Ads, Including YouTube’s

    July 8, 2026
    Add A Comment
    Leave A Reply Cancel Reply

    Top Posts

    Black Swans in Artificial Intelligence — Dan Rose AI

    October 2, 2025206 Views

    Every Clue That Tony Stark Was Always Doctor Doom

    October 20, 2025131 Views

    We let ChatGPT judge impossible superhero debates — here’s how it ruled

    December 31, 2025100 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram

    Subscribe to Updates

    Get the latest tech news from tastytech.

    About Us
    About Us

    TastyTech.in brings you the latest AI, tech news, cybersecurity tips, and gadget insights all in one place. Stay informed, stay secure, and stay ahead with us!

    Most Popular

    Black Swans in Artificial Intelligence — Dan Rose AI

    October 2, 2025206 Views

    Every Clue That Tony Stark Was Always Doctor Doom

    October 20, 2025131 Views

    We let ChatGPT judge impossible superhero debates — here’s how it ruled

    December 31, 2025100 Views

    Subscribe to Updates

    Get the latest news from tastytech.

    Facebook X (Twitter) Instagram Pinterest
    • Homepage
    • About Us
    • Contact Us
    • Privacy Policy
    © 2026 TastyTech. Designed by TastyTech.

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.