Imagine opening your crypto wallet on your Mac, only to find that your seed phrase has been stolen by malware without any notification or warning. Suddenly, your assets disappear, and you don’t even know when or how it happened.

Nowadays, more and more Mac users and crypto investors are becoming targets. Macs used to be known for being more secure, but recent trends suggest otherwise.

This is because hackers are actively targeting the Apple ecosystem, especially crypto wallets containing high-value assets.

One malware that is on the rise and you should be wary of is AMOS. To learn more about this malware, let’s take a look at the discussion below!

What is AMOS Malware?

AMOS, short for Atomic macOS Stealer, is one of the newest and most dangerous cyber threats to Mac users, especially those involved in the crypto world.

Unlike typical malware, AMOS is designed specifically for macOS and is capable of stealing sensitive data such as passwords, browser cookies, digital wallet files, and even seed phrases, all silently.

It often spreads through fake posts on communities like Reddit, disguised as cracked versions of popular applications like TradingView. These fake installer files serve as bait for crypto investors tempted by free access.

The latest version of AMOS is even more dangerous because it includes a persistent backdoor, a hidden backdoor that allows attackers to remotely take control of a victim’s device without the need for re-infection.

Even more seriously, AMOS can detect when it’s running on an analysis system or virtual machine and then automatically terminates itself to avoid detection. This makes it extremely difficult for standard antivirus software to detect.

Currently, this malware has spread to more than 120 countries, primarily targeting crypto communities in the US, UK, France, Italy, and Canada.

The perpetrators are suspected of being affiliated with a Russian hacking group and using techniques comparable to those used by North Korea.

AMOS isn’t just a data thief, it’s a long-term infiltration tool, targeting your crypto wallet directly.

Crypto Wallets Become AMOS’s Primary Target

The malware, called AMOS (Atomic macOS Stealer), is becoming increasingly concerning because it is now targeting users of popular crypto wallets like MetaMask, Phantom Wallet, Exodus, and even legitimate apps like Ledger Live.

The primary goal of this malware is to steal seed phrases (recovery phrases), configuration files, and login credentials stored in browsers.

AMOS works by extracting seed phrases from crypto wallets installed on the victim’s device.

Furthermore, this malware is also capable of stealing wallet configuration files and other sensitive information that can be used to gain control of crypto assets.

If you have ever saved seed phrases or automatically logged in wallets in your browser, the risk of theft is even greater because AMOS can read and send this data to the hacker’s server.

So, how does this malware get onto your device?

How AMOS Malware Spreads to Macs

AMOS malware spreads to Mac devices through a variety of seemingly convincing tricks. One of its main methods is malvertising, which involves fake Google ads that mimic popular sites like MetaMask or Notion.

When users click on these ads, they are redirected to a fake website that automatically downloads a file containing malware.

Furthermore, it spreads through pirated software and cracked programs. Many users download applications from unofficial sources without realizing that the files are already infected with malware.

AMOS also exploits fake browser updates, particularly through the ClearFake campaign, which prompts users to update their browsers, but this is actually a tactic to inject malware.

Another method is spear phishing, specifically targeting crypto workers and freelancers.

They receive emails or messages that appear to be job offers, complete with attachments or links that are actually malicious. Once infiltrated, AMOS can perform numerous actions covertly.

What Does AMOS Steal from Victims?

Once successfully infiltrated through social engineering or a fake software site, AMOS immediately activates and begins quietly collecting various critical data to seize the victim’s digital assets.

Its primary focus is extracting seed phrases and private keys from wallets such as MetaMask, Exodus, Phantom, and Ledger Live.

It targets local configuration files stored by wallet applications and sends the data over a C2 (Command and Control) connection using the POST method with a special header to avoid detection.

In addition, AMOS also steals usernames and passwords stored in browsers. By reading autofill and login data, this malware can access various sensitive accounts belonging to victims.

This includes exchange accounts and cold wallets connected through browser extensions.

It also steals login cookies. With valid cookies, attackers can hijack login sessions without having to re-enter usernames or passwords, as if they were using the victim’s device directly.

AMOS also scans the system for files such as PDFs, TXTs, JSONs, and even manual wallet files. All of these documents are compressed and sent to the attackers’ servers, especially if they contain seed phrase records, transaction screenshots, or other sensitive data.

Scaringly, the latest version of AMOS remains active even after restarting the Mac.

AMOS Latest Update: Persistent Backdoor

Cyber threats to crypto users have increased again with the release of a major update to Atomic macOS Stealer (AMOS), which now includes a persistent backdoor, a backdoor that remains active even after the device is restarted.

This backdoor infiltrates through fake installer files, such as the pirated TradingView on Reddit, and then immediately configures the system to remain connected to the hacker’s server.

This process utilizes a daemon launch script and hidden files like .agent and .helper.

AMOS connects to a command-and-control (C2) server every 60 seconds to send sensitive data and receive new commands in real time, ranging from data theft to additional script execution.

With this technique, AMOS is not just a short-term stealth attack, but a long-term threat that takes root in the system, operating silently behind social engineering tricks that trick users into downloading free software from unofficial sources.

So, how can you protect your crypto assets from this attack?

Tips to Prevent AMOS Malware on Your Mac

To prevent AMOS from infiltrating your device, here are some protective measures you can take.

First, make sure you only download applications from official websites or directly through the App Store. Many victims fall prey to the lure of offers of free premium software from untrusted sites.

Second, don’t carelessly enter your Mac admin password. One of AMOS’s tricks is to display a fake window requesting your password, which is actually intended to gain full system access.

Third, be wary of fake ads on Google. Cybercriminals often use malvertising techniques, impersonating well-known brands like MetaMask or Notion, then redirecting victims to malicious sites.

Fourth, use a trusted Mac-specific antivirus program like Intego or Combo Cleaner. This software can detect suspicious activity before malware like AMOS has a chance to take over your system.

And finally, never save seed phrases or private keys in plain text files or in browsers. AMOS actively searches for and steals files like these to drain your crypto wallets.

If you’ve already been infected, there are still ways to save your data.

What to Do if Infected with AMOS

If your device is infected with Atomic macOS Stealer (AMOS), immediately disconnect the internet. This is crucial so the malware can no longer communicate with the hacker’s server.

Next, run a full scan with a trusted antivirus. AMOS hides itself in files like .helper and .agent, and keeps malicious daemons active even after restarting the Mac.

After that, delete any suspicious files and malicious daemons found, especially those in directories like ~/Library/LaunchDaemons/ or hidden folders in the home directory.

Then, reset all important passwords, including email, crypto wallet, and other accounts. AMOS can steal passwords stored in browsers, login cookies, and wallet credentials.

Finally, move all crypto assets to a new wallet using a completely clean device. If the seed phrase or private key has been stolen, the old wallet is no longer secure.

Why Crypto Investors Need to Understand Threats Like AMOS

The crypto world is now an easy target for cyberattacks, especially since many new users still carelessly save seed phrases and important data, whether in text files, screenshots, or browsers.

This vulnerability is then exploited by malware like AMOS to gain access to crypto wallets.

AMOS itself is no ordinary malware. It infiltrates through fake applications, hides within the system, and remains active even after a Mac restart. This means that attacks on digital assets are increasingly sophisticated and well-planned.

On the other hand, as an investor, it’s crucial to maintain a high level of digital security awareness.

Cyber hygiene practices such as avoiding random link clicks, saving seed phrases offline, and only downloading from official sources can be a key line of defense.

Ultimately, crypto investing isn’t just about making money, but also about protecting assets from increasingly complex threats.

Conclusion

So, that was an interesting discussion about “Beware of AMOS: New Malware Targeting Crypto Wallets,” which you can read in full at the INDODAX Academy.

In conclusion, threats like AMOS demonstrate that the crypto world offers not only significant opportunities but also real risks.

Cyberattacks are increasingly sophisticated, targeting even small vulnerabilities like carelessly storing seed phrases.

Remember, prevention is much cheaper and easier than losing your entire digital asset through negligence. Start practicing good security practices and help spread awareness.

Share this article with your community or fellow crypto investors, because the more people know, the stronger our collective defenses.

Besides broadening your investment horizons, you can also stay updated with the latest crypto news and monitor digital asset price movements directly on the INDODAX Market.

For a more personalized trading experience, explore our OTC trading service at INDODAX. Don’t forget to activate notifications to stay up-to-date with the latest information about digital assets, blockchain technology, and various other trading opportunities, only at INDODAX Academy.

You can also follow our latest news via Google News for faster and more reliable access to information. For an easy and secure trading experience, download INDODAX’s best crypto app on the App Store or Google Play Store.

Maximize your crypto assets with the INDODAX Earn feature, a practical way to earn passive income from your savings.

Also follow our social media here: Instagram, X, Youtube & Telegram

FAQ

1.What is AMOS malware?
AMOS (Atomic macOS Stealer) is an infostealer malware specifically designed to steal data from Mac devices, including passwords, cookies, and crypto wallet information like seed phrases and private keys.

2.Does AMOS only attack Macs?
Yes. AMOS is specifically designed for macOS and does not attack Windows or Android devices. It primarily targets Mac users using browsers like Chrome, Brave, or Safari.

3.Which crypto wallets does AMOS target?
AMOS can steal data from popular crypto wallets, such as MetaMask, Trust Wallet, Phantom, Exodus, Coinbase Wallet, and Ledger Live, especially if installed as a browser extension or desktop application.

4.How do I know if my Mac is infected with AMOS?
Common signs include: sudden slowdowns in your Mac, suspicious applications or processes like com.finder.helper, strange system password prompts, or unknown activity in your crypto wallet. An antivirus scan can help confirm this.

5.Can antivirus detect AMOS?
Yes, but not all antivirus programs immediately recognize AMOS, especially if the malware is a new version. Use a trusted and regularly updated macOS-specific antivirus program, such as Intego, Combo Cleaner, or Malwarebytes.

6.How is AMOS different from regular malware?
The difference is that AMOS specifically targets crypto users and is capable of stealing seed phrases, not just passwords. The latest version also has a persistent backdoor, meaning it can persist and remain active even after a Mac is restarted.

7.Do Windows users need to be concerned?
Currently, AMOS only attacks macOS. However, Windows users should still be wary of other types of malware that also target crypto wallets, such as RedLine Stealer or Raccoon.

Author: Boy