MacOS FileGrabber Infostealer
Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.
Sigma rule (View on GitHub)
1title: MacOS FileGrabber Infostealer
2id: e710a880-1f18-4417-b6a0-b5afdf7e305a
3status: experimental
4description: Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.
5references:
6 - https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
7 - https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
8author: Jason Phang Vern - Onn (Gen Digital)
9date: 2025-09-12
10tags:
11 - attack.execution
12 - attack.t1059.002
13 - detection.emerging-threats
14logsource:
15 category: process_creation
16 product: macos
17detection:
18 selection:
19 CommandLine|contains|all:
20 - 'FileGrabber'
21 - '/tmp'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- Qakbot Regsvr32 Calc Pattern
- Raspberry Robin Initial Execution From External Drive
- Raspberry Robin Subsequent Execution of Commands
- Emotet Loader Execution Via .LNK File