Atomic macOS Stealer now includes a backdoor for persistent access

Moonlock Lab reports that the Atomic macOS Stealer (AMOS), a widely distributed macOS stealer active in over 120 countries, has been updated to include an embedded backdoor that enables persistent, remote, user-level access and execution of C2-assigned tasks. The report details delivery via trojanized DMGs and spear-phishing, the installation and persistence mechanisms (LaunchDaemon, .agent/.helper), C2 APIs and commands, observable IOCs (multiple 45.94.47.* IPs, URLs, and SHA256s), and warns that this evolution significantly increases the risk to macOS users by converting one-time data theft into long-term compromise.