logo

Amos Stealer Targets macOS Keychain Files and Browser Passwords

ID: 025c70d4-bf2c-59a7-ab3d-5afe7373eadf

STIX ID: report--025c70d4-bf2c-59a7-ab3d-5afe7373eadf

Feed Name: HackRead

Threat Score
72/100

Date Published: 2026-06-16

Date Updated: 2026-06-17

Author: Deeba Ahmed

...
...

Amos Stealer is an active macOS-focused infostealer distributed via deceptive downloads and social engineering; it silently uses native utilities (curl -fsSL, AppleScript, ditto, OpenSSL) to collect Keychain data, browser credentials and developer files, compress and chunk the data, then exfiltrate via HTTP PUT to an attacker-controlled domain (bestbuydomain.com) with retry and cleanup behavior. CyberProof recommends enforcing Gatekeeper policies and monitoring for unusual curl commands to detect and block the campaign.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.