Atomic MacOS Stealer - FileGrabber Activity
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
Sigma rule (View on GitHub)
1title: Atomic MacOS Stealer - FileGrabber Activity
2id: e710a880-1f18-4417-b6a0-b5afdf7e33da
3related:
4 - id: e710a880-1f18-4417-b6a0-b5afdf7e305a
5 type: obsolete
6status: experimental
7description: |
8 Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
9references:
10 - https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
11 - https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing
12 - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36
13 - https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
14author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
15date: 2025-11-22
16tags:
17 - attack.execution
18 - attack.t1059.002
19 - detection.emerging-threats
20logsource:
21 category: process_creation
22 product: macos
23detection:
24 selection_curl_post:
25 CommandLine|contains|all:
26 - 'curl'
27 - 'POST'
28 - 'user:'
29 - '-H '
30 - 'BuildID'
31 - 'file=@/tmp/out.zip'
32 - 'cl: 0'
33 selection_filegrabber_exec:
34 CommandLine|contains|all:
35 - 'FileGrabber'
36 - '/tmp'
37 condition: 1 of selection_*
38falsepositives:
39 - Unknown
40level: high
References
-
Trend™ Research analyzed a campaign distributing Atomic macOS Stealer (AMOS), a malware family targeting macOS users. Attackers disguise the malware as “cracked” versions of legitimate apps, luring users into installation.
Read More -
Phishing campaign targets macOS with fake prompts that run AppleScript via terminal, stealing wallets, cookies, and sensitive files.
Read More -
Threat feeds designed to extract adversarial TTPs and IOCs, using: ✨AI✨ - bobby-tablez/TTP-Threat-Feeds
Read More -
Learn more about how malicious threats continue to target macOS users, compromising their Macs and exfiltrating their data.
Read More
Related rules
- Potential Ursnif Malware Activity - Registry
- Atlassian Confluence CVE-2022-26134
- Blue Mockingbird - Registry
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- OMIGOD HTTP No Authentication RCE - CVE-2021-38647