Why AMOS matters: The macOS malware stealing data at scale

Sophos MDR investigated an active AMOS (Atomic macOS) infostealer campaign that leverages ClickFix-style social engineering to run a bootstrap script, capture and validate macOS passwords, deploy a second-stage payload with elevated privileges, perform anti-analysis checks, harvest Keychain and browser credentials (including crypto wallet-related artifacts), archive data, exfiltrate to attacker C2 infrastructure, and maintain persistence via LaunchDaemons; the report includes example IOCs, MITRE ATT&CK mapping, detection opportunities, and prevention recommendations.