Atomic macOS Stealer (AMOS), a notorious malware, is employing new methods to infiltrate systems. Previously spread through pirated software, AMOS is now embedded in harmful OpenClaw skills. These skills, which enhance AI agent capabilities, are being exploited to distribute the malware.
Transition in AMOS Distribution Methods
AMOS is designed as a malware-as-a-service (MaaS) tool, targeting Apple users to extract sensitive information. This includes credentials, browser data, cryptocurrency wallet information, Telegram chats, VPN profiles, Apple keychain items, and files from common directories like Desktop and Documents.
Trend Micro researchers discovered a variant of AMOS concealed within OpenClaw skills, tracing its presence across various repositories. Malicious actors uploaded 39 harmful skills to platforms like ClawHub and GitHub, with over 2,200 found on GitHub alone. This marks a significant shift in AMOS’s distribution strategy, now focusing on supply chain attacks within AI agent environments.
Mechanics of the Attack
The attack initiates with a seemingly benign SKILL.md file, instructing the AI agent to download a fraudulent prerequisite, “OpenClawCLI,” from a malicious site. Less vigilant models, such as GPT-4o, may install it silently or persistently prompt the user to proceed with the manual installation.
More advanced models like Claude Opus 4.5 can identify the skill’s malicious intent and halt further action. If the user or AI agent proceeds, a Base64-encoded command is executed, installing a Mach-O universal binary that operates on both Intel and Apple Silicon Macs. A deceptive password prompt then appears, coaxing users into providing their system password, thereby granting the malware necessary access.
Implications and Recommendations
Upon acquiring the password, AMOS rapidly collects data including system credentials, files from critical folders, Apple keychains, and browser-stored cookies, passwords, and credit card data. It can also compromise information from 150 cryptocurrency wallets.
Collected data is bundled into a ZIP file and transmitted to a command-and-control server at socifiapp[.]com. Users should verify the source of any OpenClaw skill, refrain from entering passwords into unfamiliar prompts, test skills in isolated environments, and employ containers to restrict AI agent operations.
Conclusion
This evolving threat underscores the importance of vigilance and robust cybersecurity practices. As AMOS continues to adapt its methods, staying informed and cautious is crucial for safeguarding sensitive information.
