When Stealers Converge: New Variant of Atomic Stealer in the Wild

Bitdefender documents a new undetected macOS variant of the AMOS (Atomic) Stealer distributed via small DMG files containing FAT Mach-O dropper binaries; the droppers decode and drop an XOR-ed Python script that combines Python and AppleScript to harvest browser credentials, cookies, crypto wallet data, the login keychain and the local account password via a fake system update dialog, then packages the data in-memory and posts it to a hardcoded C2 (/p2p). The report supplies file hashes, C2 information, targeted browser-extension IDs, detections and notes code similarities with a recent RustDoor sample.