{"id":2686,"date":"2025-09-06T06:51:40","date_gmt":"2025-09-06T06:51:40","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/09\/06\/macos-stealer-campaign-uses-cracked-app-lures-to-bypass-apple-security\/"},"modified":"2025-09-06T06:51:40","modified_gmt":"2025-09-06T06:51:40","slug":"macos-stealer-campaign-uses-cracked-app-lures-to-bypass-apple-security","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/06\/macos-stealer-campaign-uses-cracked-app-lures-to-bypass-apple-security\/","title":{"rendered":"macOS Stealer Campaign Uses \u201cCracked\u201d App Lures to Bypass Apple Security"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"http:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/32483240-27a8-4f36-ac60-9d465c05a5d5.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of James Coker\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-6cb0a6ee-3d5c-4774-a2ae-1e5602f2b7b0\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A new Atomic macOS Stealer (AMOS) campaign is targeting macOS users by disguising the malware as \u201ccracked\u201d versions of legitimate apps, Trend Micro researchers have warned.<\/p>\n<p>The campaign is designed to help cybercriminals overcome recent Apple security improvements, representing \u201csignificant tactical adaptation,\u201d the researchers found.<\/p>\n<p>\u201cWhile macOS Sequoia&#8217;s enhanced Gatekeeper protections successfully blocked traditional .dmg-based infections, threat actors quickly pivoted to terminal-based installation methods that proved more effective in bypassing security controls,\u201d they noted.<\/p>\n<p>Victims are lured into installing the infostealer via social engineering techniques &#8211; either downloading a malicious .dmg installer masquerading as a cracked app or, after being asked to copy and paste commands into the macOS terminal, resembling the fake CAPTCHA technique.<\/p>\n<p>Once installed, AMOS establishes persistence before stealing sensitive data from the victim\u2019s system. This includes credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes and files from common folders. \u00a0\u00a0<\/p>\n<h2><strong>AMOS\u2019 Infection Chain and Delivery<\/strong><\/h2>\n<p>The Trend Micro report, published on September 4, observed that the attackers attempt to gain initial access to systems through cracked software downloads.<\/p>\n<p>Affected users visited the website haxmac[.]cc several times. This URL hosts several cracked software programs for macOS.<\/p>\n<\/p><\/div>\n<figure id=\"layout-544ccf7c-948a-41d1-9402-479956feed4a\" data-layout-id=\"4\" data-edit-folder-name=\"image\" data-index=\"1\"><img decoding=\"async\" src=\"http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/localimages\/767c2bc2-d43f-4040-a215-ef87f7e3fc76.png\" alt=\"haxmac[.]cc website, which hosts \u201ccracked\u201d software for macOS. Source: Trend Micro\"><figcaption>haxmac[.]cc website, which hosts \u201ccracked\u201d software for macOS. Source: Trend Micro<\/figcaption><\/figure>\n<div id=\"layout-19bb512d-f911-4074-96e1-1e2425fee967\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"2\">\n<p>In the cases analyzed, the users specifically searched for and downloaded \u201cCleanMyMac\u201d on their machines. This is a legitimate program that can be downloaded from the Mac App Store.<\/p>\n<p>\u201cHowever, downloading the program from an untrusted source, as seen in these cases, puts the machine and the organization at risk because these cracked programs might be bundled with malware or trojanized by threat actors,\u201d the researchers noted.<\/p>\n<p>After downloading the cracked software, victims are redirected to AMOS\u2019 landing page, prompting them to click \u201cDownload for MacOS\u201d or instructed to copy and paste malicious commands into the Apple Terminal.<\/p>\n<p>This page appears to perform OS fingerprinting, determining whether the visitor is using Windows or MacOS before redirecting them to the corresponding payload page.<\/p>\n<p>A number of different domains were observed to act as redirectors, while the redirect destination changes with each visit to help bypass detection. However, the instructions on the pages remain identical.<\/p>\n<p>Additionally, the threat actor uses frequent domain and URL rotation for their download commands, likely to evade static URL-based detections and takedowns.<\/p>\n<p>\u201cAs a result, the domains and URLs are expected to change over time,\u201d the researchers said.<\/p>\n<p>Both of these actions lead to the execution of a malicious installation script. This script downloads an AppleScript file \u201cupdate\u201d to the temp directory.<\/p>\n<p>A script \u2018com.finder.helper.plist\u2019 file configures a MacOS LaunchDaemon to continuously run the \u2018. agent\u2019 script, which then runs in an infinite loop to detect the logged-in user and execute the hidden binary.<\/p>\n<p>The binary file establishes persistence by retrieving the username of the currently logged-in user, excluding root.<\/p>\n<p>Once the script is executed, it copies sensitive data from the compromised system.<\/p>\n<p>The researchers said that the type of information stolen by AMOS poses significant downstream risks for businesses as well as the individuals targeted. This includes credential stuffing, financial theft or further intrusions into enterprise systems.<\/p>\n<p>The researchers urged organizations to deploy defense-in-depth strategies that don\u2019t rely solely on built-in operating system protections to protect against the tactics used in this campaign.<\/p>\n<p><em>Image credit:\u00a0IgorGolovniov \/ Shutterstock.com<\/em><\/p>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new Atomic macOS Stealer (AMOS) campaign is targeting macOS users by disguising the malware as \u201ccracked\u201d versions of legitimate apps, Trend Micro researchers have warned. The campaign is designed to help cybercriminals overcome recent Apple security improvements, representing \u201csignificant tactical adaptation,\u201d the researchers found. \u201cWhile macOS Sequoia&#8217;s enhanced Gatekeeper protections successfully blocked traditional .dmg-based<\/p>\n","protected":false},"author":2,"featured_media":2687,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2686","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2686-dbab469d-dfb3-42a0-9277-39f23582484c.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2686-dbab469d-dfb3-42a0-9277-39f23582484c-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2686-dbab469d-dfb3-42a0-9277-39f23582484c.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2686-dbab469d-dfb3-42a0-9277-39f23582484c.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2686-dbab469d-dfb3-42a0-9277-39f23582484c.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2686-dbab469d-dfb3-42a0-9277-39f23582484c.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2686-dbab469d-dfb3-42a0-9277-39f23582484c.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2686-dbab469d-dfb3-42a0-9277-39f23582484c.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2686-dbab469d-dfb3-42a0-9277-39f23582484c.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2686-dbab469d-dfb3-42a0-9277-39f23582484c.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2686-dbab469d-dfb3-42a0-9277-39f23582484c-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2686","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2686"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2686\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2687"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2686"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}