Intego discovers new Atomic Stealer (AMOS) Mac malware variants

Posted on by

In May 2023 and September 2023, and again in February 2024, we wrote about earlier variants of the Atomic Stealer Mac malware family. This malware—also known as Atomic macOS Stealer or AMOS for short—is designed to exfiltrate sensitive data from infected Macs. Such data typically includes saved passwords, cookies, autofill text, and cryptocurrency wallets.

AMOS is distributed in the form of Trojan horses, often masquerading as supposedly pirated or “cracked” versions of apps. In recent months, AMOS Trojan horses often pretend to be the legitimate apps they mimic; they employ elaborate campaigns, leveraging malicious Google Ads that link to lookalike homepages with Trojan downloads.

Over the past two weeks, Intego has been tracking several new variants of Atomic Stealer. Here’s everything you need to know about them and how to stay protected.

In this article:

Mimicry of File Juicer, Debit & Credit, Parallel NFT game, and Notion

The latest variants of AMOS masquerade as several different apps, all distributed through DMG disk images.

Fake “File Juicer” and “Debit & Credit” app installers

At least two disk images, when mounted, include a single app called “AppleApp” with an icon that implies that it’s an installer.

One fake-installer variant launches a Trojanized version of File Juicer, an app for extracting embedded files from various document formats. The real app costs $19.

A second fake-installer variant launches a Trojanized version of Debit & Credit, a personal finance app that’s normally only available through the Mac App Store. The real app is a free download, but a “premium version” is available via a $19.99 in-app purchase.

Fake “Parallel” NFT TCG game

Another disk image, when mounted, includes a single app called “WorldParallel.” With a little investigation, we discovered that this Trojan mimics a Windows-only, NFT-based digital trading card game called Parallel, which its developer describes as “a Sci-Fi world and Card Game.”

It isn’t surprising to see malware disguise itself as something related to non-fungible tokens (NFTs), blockchains, or cryptocurrency; fake crypto wallet apps are another common Trojan horse. We’ve even observed stealer malware that was distributed through elaborate video-game marketing campaigns.

This is because a primary goal of stealer malware is typically to attempt to exfiltrate digital wallets, which may contain valuable assets such as cryptocurrencies or rare digital artwork.

Fake “Notion” app

And last but not least, we’d be remiss if we didn’t mention that, once again, some AMOS samples mimicked the Notion productivity software.

We mentioned in February that AMOS had been spreading via malicious Google Ads that mimicked real Notion software ads.

Source of these new AMOS infections

Although we have not definitively confirmed the original source of these infections, it’s likely that the team behind AMOS is up to its usual tricks, including Google Ads poisoning. Threat actors often pay Google for top placement, with sponsored ads disguised as real ads for legitimate software. These ads appear immediately above the actual search results; if you aren’t careful, you could inadvertently visit a malware distribution site instead of landing on the real software developer’s site.

We recommend that consumers get out of the habit of “just Google it” to find legitimate sites. Such habits often include clicking on the first link without giving it much thought, under the assumption that Google won’t lead them astray, and will give them the correct result right at the top. Malware makers know this, of course, and that’s why they’re paying Google for the number-one position.

Until or unless Google does a much better job of vetting its ads, a better practice than “Google it” would be to bookmark trusted sites whenever possible, and to go back to those bookmarks in the future.

Malware embedded within malware

One interesting observation from Intego’s malware analysis lab is that many of the initial stage (dropper) apps contain the secondary payload embedded within them.

In some cases, the embedded payload was unobfuscated (i.e. plainly visible). However, in other cases, the embedded payload was Base64 encoded, in a weak attempt to hide the payload from antivirus software.

“Droppers” are initial-stage malware samples designed to obtain and install additional malware. Typically, droppers connect to malicious or hacked sites to obtain their next-stage payloads. Embedding payloads within the dropper itself can sometimes allow malware campaigns to succeed for a bit longer. This is because sites that host malware may be taken offline quickly, or disinfected and patched as soon as the site owner becomes aware of the infection. In the case of a newly registered malicious domain, the registrar may retake control of the domain, take it offline, and revoke the purchaser’s access.

How can I keep my Mac safe from AMOS and other malware?

If you use Intego VirusBarrier, you’re already protected from this malware. Intego detects these samples as OSX/Amos.ext, virus/OSX/AVI.AMOS.jlei, virus/OSX/AVI.AMOS.lydw, virus/OSX/AVI.AMOS.mlhs, and similar names.

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.

One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. To get started, just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.

Indicators of compromise (IOCs)

As is typical, some of the Atomic Stealer samples we encountered have a very low detection rate on the multi-engine single file scanning site VirusTotal. For several samples, only 5–8 out of 60+ antivirus engines appear to detect them. At least three samples (two Mach-O binaries and one DMG disk image) were completely undetected when first uploaded to VirusTotal.

Following are SHA-256 hashes of malware samples related to these new AMOS malware campaigns:


The following domains have recently been used in connection with these AMOS samples:


Network administrators can check logs to try to identify whether any computers may have attempted to contact one of these domains recently, which could indicate a possible infection.

How can I learn more?

Be sure to also check out our 2024 Apple malware forecast and our previous Mac malware articles from 2024 and earlier.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →