Atomic Stealer: Thieving Mac malware sold via Telegram

Posted on by

A threat actor is offering “malware as a service” that can steal sensitive data from Macs. Dubbed AtomicStealer—or Atomic macOS Stealer, AMOS—the framework enables cybercriminals to create custom Trojan horse malware. These Trojans attempt to exfiltrate passwords, stay-logged-in session cookies, cryptocurrency wallets, and more.

Below, we’ll explain what you need to know about this new Mac threat and how to stay protected.

In this article:

What does OSX/AtomicStealer Mac malware do?

A threat actor has recently begun selling access to a new, customizable Mac data-stealing malware framework. Access to the framework is advertised via the Telegram secure messaging app.

Reportedly, other cybercriminals can “lease” the malware framework at $1,000 per month. This implicitly means that the original developer may continue to update the framework to try to evade antivirus detection as part of this “malware as a service” operation.

So what can AtomicStealer-based malware do? We can easily observe that the malware attempts to trick users into divulging their administrator password via a fake system prompt, generated with AppleScript code.

AtomicStealer’s first variant attempts to trick users into giving up their admin password via a fake system dialog box.

If users type their password into this dialog box, it is then logged insecurely on the system—in plain text.

According to the seller, the malware can do a number of other things, but the primary goal appears to be exfiltration of valuable digital assets.

The malware will supposedly try to export all passwords from the Keychain, steal saved passwords and stay-logged-in session cookies from all popular browsers, and steal cryptocurrency from more than 50 varieties of wallets.

After obtaining a victim’s passwords and session cookies, an attacker may be able to pivot to breaking into other accounts belonging to the victim. As we mentioned recently in our coverage of MacStealer malware, stealing stay-logged-in cookies often allows attackers to bypass two-factor authentication.

How can one remove or prevent AtomicStealer and other Mac malware?

Intego X9 software boxes

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate this Mac malware. Intego products detect components of this threat as OSX/Downloader.go, or variations of virus/OSX/Agent.

If you believe your Mac may be infected—or to prevent future infections—use trusted antivirus software. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It’s compatible with a variety of Mac hardware and OS versions, including the latest Apple silicon Macs running macOS Ventura.

Additionally, if you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.

VirusBarrier X6, X7, and X8 on older Mac OS X versions also provide protection. Note, however, that it is best to upgrade to the latest versions of macOS and VirusBarrier; this will help ensure your Mac gets all the latest security updates from Apple.

Who created the AtomicStealer malware framework?

The first researcher to write about AtomicStealer’s initial variant noted something interesting: evidently, the username on the developer’s computer was iluhaboltov. Although this does not provide definitive evidence of the malware author’s name, it’s noteworthy that the developer began using an account with the generic username administrator for subsequent variants of AtomicStealer.

Boltov is a surname that is most common in Russia and Ukraine; it means “bolts” in Russian.

Iluha isn’t a particularly common given name, but it can be a masculine East Slavic name, a variant of Elijah. Iluha can also mean to weep or to tear up in Filipino or Tagalog. Iluh can be a Balinese name for a first-born female. Luha can be an Islamic feminine name meaning measure or amount.

If the developer truly did reveal their own name, it wouldn’t be the first time that a cybercriminal has made such an opsec failure. In 2019, Intego published a white paper (PDF) about Mac malware attribution in which I wrote about several malware makers who had unintentionally exposed their real names by mistake.

AtomicStealer indicators of compromise (IoCs)

The following SHA-256 hashes relate to AtomicStealer malware campaigns:

* First reported by Intego
**First reported by Intego; added 8 May 2023

These command-and-control (C&C) domains and IP address have been used in conjunction with this malware:


Network administrators can check recent network traffic logs to try to identify whether any computers on their network may have attempted to contact this domain or IP address, which could indicate a possible infection.

Is AtomicStealer known by any other names?

Other vendors’ names for threat components related to this malware campaign may include variations of the following, among others:

A Variant Of OSX/PSW.Agent.J, Backdoor (0040f37c1), DMG/MAC/Agent.C, Gen:Variant.Trojan.MAC.Stealer.3, HEUR:Trojan-PSW.OSX.Amos.a, HEUR:Trojan-PSW.OSX.Amos.gen, IOS/Agent.T, Mac.Stealer.5, MacOS:Agent-YR [Trj], MacOS:AMOS-A [Trj], MacOS/Agent.T, Malware.OSX/Agent.aastz [or apvnq, bikjo, dplus, fqgok, hefho, hpdme, igrcu, jdnso, jinac, kgzuf, mewoo, miqkw, nqwim, nyoag, ownpu, pvour, snanh, tkpml, uzzyb, wojiq, xvddr, xveph, ylarv, ylask, zaxaz], Osx.Trojan-QQPass.QQRob.Azlw [or Eflw, Gajl, Itgl, Kflw, Qgil], OSX.Trojan.Agent.240XS0 [or Azlw, B01BNO, Bujl, Cgow, Ctgl, Dtgl, Gajl, Gjgl, Hkjl, Itgl, Jkjl, Ljgl, Lqil, Msmw, Ojgl, ORDPIH, Pqil, Psmw, Qcnw, Twhl, VZCCLC], OSX.Trojan.Gen, OSX.Trojan.Gen.2, OSX/Agent.2308!tr [or aastz, apvnq, bikjo, dplus, fqgok, hefho, hpdme, igrcu, J!tr.pws, jdnso, jinac, kgzuf, mewoo, miqkw, nqwim, nyoag, ownpu, pvour, snanh, tkpml, uzzyb, wojiq, xvddr, xveph, ylarv, ylask, zaxaz], OSX/InfoStl-CP, OSX/MacStealer.d, OSX/PSW.Agent.J, Other:Malware-gen [Trj], TROJ_FRS.0NA104DT23, Trojan-Spy.MAC.Atomic, Trojan:MacOS/Amos!MTB, Trojan:MacOS/Amos.A!MTB, Trojan:MacOS/AtomicSteal.A, Trojan:MacOS/Multiverze, Trojan:Win32/Vigorf.A, Trojan.MAC.Generic.112364 [or 112365, 112381, 112636, 112639, D1B6EC, D1B6FD, D1B7FC], Trojan.MacOS.S.Stealer.54058210, Trojan.MacOS.S.Stealer.54058274.A, Trojan.OSX.Agent, Trojan.OSX.Amos.4!c, Trojan.OSX.Generic.4!c, Trojan.Trojan.MAC.Stealer.3, Trojan/OSX.Agent.47995673 [or 54058210, 54058274], TrojanPSW:MacOS/MacStealer.da728306, UDS:DangerousObject.Multi.Generic, UDS:Trojan-PSW.OSX.Amos.gen

How can I learn more?

For additional technical details about this malware, see PhD. Phuc’s tweet thread that first brought it to light, Cyble’s technical write-up, and Phil Stokes’ technical write-up of another variant.

We also acknowledge MalwareHunterTeam and dustyfresh for their tweets with additional observations, which correlated with some of Intego’s research team’s findings.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes. You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →