Atomic Stealer

Malware Profile Updated 12 days ago

Download STIX

Preview STIX

Atomic Stealer is a malicious software (malware) known for its ability to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. It is designed to steal personal information, disrupt operations, and even hold data hostage for ransom. A new version of this malware is being delivered via a malvertising campaign specifically targeting macOS users. This campaign utilizes seemingly innocuous prompts for program installation to gain access to keychain passwords and important files. In recent developments, as of June 27, 2024, a competitor of Atomic Stealer has emerged, launching a new campaign to attract more victims. Known as Rodrigo4 in the XSS underground forum, this threat actor is developing a stealer with features and code base similar to the infamous Atomic Stealer. The macOS stealer being dropped in this latest campaign is actively being developed as an Atomic Stealer competitor, sharing a large part of its predecessor's code base. To counter these threats, Insikt Group recommends using intelligence and monitoring platforms that scan for malicious domains and IP addresses associated with Atomic Stealer and other macOS malware. Notably, Microsoft Teams has become a popular keyword that threat actors are bidding on, marking the first time it has been used by Atomic Stealer. By staying vigilant and employing preventive measures, users can better protect themselves from such malware attacks.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Amos	4	AMOS is a malicious software (malware) that targets Mac systems, with the ability to steal passwords, personal files, and cryptocurrency wallet information. It was first identified as part of the ClearFake campaign, which aimed to spread the macOS AMOS information stealer. The malware can infect bot
Clearfake	2	ClearFake is a malicious software that has been identified as a fake browser update activity cluster, compromising legitimate websites with harmful HTML and JavaScript. The malware was first observed by Proofpoint in early April, employing a cut-and-paste technique for its delivery. ClearFake's camp
Stealc	1	Stealc is a malicious software (malware) that specifically targets browser extensions and authenticators by password managers, growing in popularity on the dark web since its discovery in early 2023. It has been associated with significant cyber-attacks, such as the $7 million heist on the Solana bl
Rhadamanthys	1	Rhadamanthys is a malicious software (malware) that has been leveraged by the threat actor group TA547 to target German organizations. The malware, which infiltrates systems through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, or hold data for ransom

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Macos

Windows

Malvertising

Payload

Safari

Chrome

Antivirus

Firefox

Scam

Wordpress

Malwarebytes

Maas

Encryption

Domains

Phishing

Linux

Microsoft

Apple

Google

Sentinelone

Malware Loader

XSS (Cross S...

Keychain

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Macstealer	Unspecified	1	MacStealer is a malicious software (malware) first observed in March 2023, specifically designed to exploit macOS devices ranging from Catalina (macOS 10) to Ventura (macOS 13), including those using Intel M1 and M2 CPUs. The malware uses the native macOS osascript utility to mimic a legitimate syst
shadowvault	Unspecified	1	ShadowVault, a new malware specifically targeting macOS devices, has been recently identified by Guardz Cyber Intelligence Research (CIR). Discovered in June 2023 and prominently advertised on Russian-language cybercriminal forums for $500 per month, ShadowVault is capable of stealing sensitive info
Netsupport Rat	Unspecified	1	NetSupport RAT is a type of malware that can significantly compromise an organization's digital security. Originally derived from the legitimate NetSupport Manager, a remote technical support tool, this malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to t
Amos Stealer	Unspecified	1	AMOS Stealer is a type of malware that has been causing significant concern due to its adaptability and ability to leverage legitimate services for malicious purposes. This new variant of the AMOS Stealer bears a high degree of similarity to the 2nd variant of RustDoor, particularly in its use of Ap
Eugenloader	Unspecified	1	EugenLoader, also known as FakeBat, is a form of malware that was detected by Microsoft in mid-November 2023. It was distributed by an initial access broker known as Storm-1113 through search advertisements mimicking the Zoom app, with the malware delivered via bogus MSIX installers masquerading as
Fakebat	Unspecified	1	FakeBat is a notable malware variant that has been increasingly involved in malvertising campaigns since at least November 2022, as per an early 2023 Intel471 report. This malicious software exploits and damages computers or devices by infiltrating systems through suspicious downloads, emails, or we

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
ELECTRUM	Unspecified	1	Electrum, a threat actor identified in cyberattacks against Ukraine on February 1, 2022, is known for its Bitcoin-themed attacks. These attacks often involve the use of PDF delivery documents referencing Electrum Bitcoin wallets, similar to those seen in subsequent attacks in April. The initial load

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Variant of Rustdoor	Unspecified	1	None
CVE-2023-20269	Unspecified	1	CVE-2023-20269 is a zero-day vulnerability found in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This flaw in software design or implementation has been actively exploited by ransomware groups to gain initial access to corporate networks. The exploitation of
CVE-2023-34039	Unspecified	1	CVE-2023-34039 is a critical vulnerability identified in VMware's Aria Operations for Networks, a software analysis tool. This flaw, rated 9.8 (critical) on the Common Vulnerability Scoring System (CVSS version 3), is an authentication bypass bug caused by a lack of unique cryptographic key generati

Source Document References

Information about the Atomic Stealer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securityaffairs	6 days ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	6 days ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	12 days ago	Security Affairs Malware Newsletter - Round 2
Malwarebytes	14 days ago	Fake Microsoft Teams for Mac delivers Atomic Stealer \| Malwarebytes
Securityaffairs	20 days ago	Security Affairs Malware Newsletter - Round 1
Malwarebytes	a month ago	A week in security (June 24 - June 30) \| Malwarebytes
Securityaffairs	a month ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Malwarebytes	a month ago	'Poseidon' Mac stealer distributed via Google ads \| Malwarebytes
Securityaffairs	a month ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	a month ago	'Vortax' Meeting App Builds Elaborate Branding, Spreads Infostealers
Securityaffairs	a month ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
CERT-EU	8 months ago	Mac Systems Under Threat: ClearFake Campaign Deploys Atomic Stealer Malware
CERT-EU	a year ago	Updated Atomic Stealer spread in new Mac malvertising campaign
CERT-EU	8 months ago	Atomic Stealer malware strikes macOS via fake browser updates
CERT-EU	8 months ago	How Fake Chrome, Safari Updates Can Infect Your Mac With AMOS Malware
CERT-EU	8 months ago	ClearFake Campaign Expands to Target Mac Systems with Atomic Stealer
CERT-EU	a year ago	Newer, Better XLoader Signals a Dangerous Shift in macOS Malware
CERT-EU	a year ago	Atomic malware steals Mac passwords, crypto wallets, and more