ioc[.]one - OSINT Cyber Threat Intelligence Database

Atomic Stealer: Dissecting 2024's Most Notorious macOS Infostealer

Tags

cmtmf-attack-pattern:	Command And Scripting Interpreter Obfuscated Files Or Information
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Direct Applescript - T1059.002 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Credentials From Password Stores - T1555 Data From Local System - T1533 Exfiltration Over C2 Channel - T1646 Keychain - T1634.001 Keychain - T1555.001 Keychain - T1579 Malicious File - T1204.002 Malvertising - T1583.008 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Phishing - T1660 Phishing - T1566 Software - T1592.002 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 Tool - T1588.002 Applescript - T1155 Command-Line Interface - T1059 Data From Local System - T1005 Exfiltration Over Command And Control Channel - T1041 Keychain - T1142 Obfuscated Files Or Information - T1027 Scripting - T1064 Spearphishing Link - T1192 User Execution - T1204 Scripting User Execution

Show in Graph

Common Information

Type	Value
UUID	872b0b50-57b7-4594-845e-68d69bad1cc5
Fingerprint	a4b53954bf3eb20b
Analysis status	DONE
Considered CTI value	2
Text language
Published	April 10, 2025, 1:29 p.m.
Added to db	April 10, 2025, 4:12 p.m.
Last updated	April 17, 2025, 3:23 p.m.
Headline	Atomic Stealer: Dissecting 2024's Most Notorious macOS Infostealer
Title	Atomic Stealer: Dissecting 2024's Most Notorious macOS Infostealer
Detected Hints/Tags/Attributes	86/3/27

Source URLs

	Redirection	Url
Details	Source	https://www.picussecurity.com/resource/blog/atomic-stealer-amos-macos-threat-analysis

URL Provider

Details	Provider	Source level domain
Details	picussecurity.com	www.picussecurity.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	352	✔	Resources-2	https://www.picussecurity.com/resource/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	1	aricl.net
Details	Domain	3	www.provendata.com
Details	Domain	292	www.esentire.com
Details	Domain	170	securityaffairs.com
Details	Domain	31	www.jamf.com
Details	File	2	4.dmg
Details	File	1	kc.db
Details	File	23	login.key
Details	File	10	sysinfo.txt
Details	File	11	cookies.bin
Details	File	5	notestore.sql
Details	File	12	passphrase.json
Details	File	1	info-stealer-malware-macos.html
Details	IPv4	1	193.233.132.188
Details	IPv4	1	46.101.104.172
Details	MITRE ATT&CK Techniques	237	T1566.002
Details	MITRE ATT&CK Techniques	464	T1204.002
Details	MITRE ATT&CK Techniques	18	T1059.002
Details	MITRE ATT&CK Techniques	752	T1027
Details	MITRE ATT&CK Techniques	14	T1555.001
Details	MITRE ATT&CK Techniques	604	T1005
Details	MITRE ATT&CK Techniques	522	T1041
Details	Url	1	https://www.provendata.com/blog/what-is-atomic-stealer-amos/.
Details	Url	1	https://www.esentire.com/blog/fake-deepseek-site-infects-mac-users-with-atomic-stealer.
Details	Url	1	https://securityaffairs.com/161287/malware/info-stealer-malware-macos.html
Details	Url	1	https://cyble.com/blog/uncovering-atomic-stealer-amos-strikes-and-the-rise-of-dead-cookies-restoration/.
Details	Url	1	https://www.jamf.com/blog/infostealers-pose-threat-to-macos/.