MacOS FileGrabber Infostealer

Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.

Sigma rule (View on GitHub)

 1title: MacOS FileGrabber Infostealer
 2id: e710a880-1f18-4417-b6a0-b5afdf7e305a
 3status: experimental
 4description: Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.
 5references:
 6    - https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
 7    - https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
 8author: Jason Phang Vern - Onn (Gen Digital)
 9date: 2025-09-12
10tags:
11    - attack.execution
12    - attack.t1059.002
13    - detection.emerging-threats
14logsource:
15    category: process_creation
16    product: macos
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'FileGrabber'
21            - '/tmp'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

Related rules

to-top