When Stealers Converge: New Variant of Atomic Stealer in the Wild

Bitdefender researchers uncovered a largely undetected macOS AMOS (Atomic) Stealer variant distributed as small DMG droppers that lure users into opening an unsigned `Crack Installer`; the embedded Mach-O binaries drop a Python script which uses AppleScript and system profiling to collect browser passwords, cookies, crypto-wallet files, the user's `login.keychain-db` and even the local account password, packages the data into an in-memory ZIP and exfiltrates it to a hardcoded C2 IP. The report provides technical details, detection names, and extensive IOCs (file hashes for DMGs, droppers, Python scripts and the C2 address) to aid detection and response.