Ethical Hacking News
Atomic macOS infostealer adds a backdoor to its malware, allowing persistent access to compromised devices worldwide. The threat poses significant concerns for Mac users, highlighting the importance of staying vigilant in cybersecurity efforts.
Atomic macOS infostealer malware features an embedded backdoor for persistent access to compromised devices. The malware is being distributed through targeted phishing campaigns and cracked software sites, targeting cryptocurrency owners and freelancers. The threat actors can execute commands remotely, log keystrokes, introduce additional payloads, or explore lateral movement potential using the backdoor. The emergence of this malware highlights the growing attractiveness of macOS systems as targets for malicious campaigns. Users are advised to exercise extreme caution, update their operating systems and software, use strong passwords, enable two-factor authentication, and regularly back up critical data to mitigate this threat.
The world of cybersecurity has witnessed numerous malicious actors continually evolving and adapting their tactics, techniques, and procedures (TTPs) to evade detection and exploit vulnerabilities in various systems. Recently, a new strain of the Atomic macOS infostealer malware has emerged, featuring an embedded backdoor that enables persistent access to compromised devices, posing a significant threat to Mac users worldwide.
This malicious software is part of the broader category of infostealers, which target specific types of data stored on infected systems, including user passwords, cryptocurrency extensions, and files. The Atomic stealer first gained notoriety in April 2023 as a malware-as-a-service (MaaS) operation promoted on Telegram channels for a subscription fee. Since then, it has undergone significant changes and updates to enhance its capabilities.
According to recent analysis by Moonlock, the cybersecurity division of MacPaw, the latest version of Atomic macOS infostealer now features an embedded backdoor that allows attackers to execute arbitrary remote commands, survive reboots on macOS systems, track victims using their IDs, and establish a new command-and-control infrastructure. This sophisticated malware is being distributed through targeted phishing campaigns aimed at cryptocurrency owners and freelancers, as well as via cracked software sites.
The core backdoor executable is named '.helper,' which is downloaded and saved in the victim's home directory as a hidden file post-infection. A persistent wrapper script named '.agent' (also hidden) runs '.helper' in a loop as the logged-in user, while a LaunchDaemon (com.finder.helper) installed via AppleScript ensures that '.agent' executes at system startup with elevated privileges using the victim's stolen password.
This complex execution chain allows the threat actors to execute commands remotely, log keystrokes, introduce additional payloads, or explore lateral movement potential. The backdoor also features string obfuscation and checks for sandbox or virtual machine environments to evade detection.
The emergence of this sophisticated malware highlights the growing attractiveness of macOS systems as targets for malicious campaigns. According to Moonlock's analysis, Atomic malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected.
To mitigate this threat, users are advised to exercise extreme caution when accessing their Mac devices and to regularly update their operating systems and software. Implementing robust security measures, such as using strong passwords, enabling two-factor authentication, and regularly backing up critical data can also help protect against this type of malicious activity.
The ongoing evolution of malware like Atomic macOS infostealer underscores the need for continuous vigilance and adaptation in cybersecurity strategies. As attackers continually refine their techniques to bypass traditional defenses, it is essential to stay informed about emerging threats and develop effective countermeasures to safeguard personal data and systems.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Backdoor-to-Eternal-Persistence-How-Atomic-macOS-Infostealer-is-Hijacking-Mac-Devices-Worldwide-ehn.shtml
https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-adds-backdoor-for-persistent-attacks/
Published: Mon Jul 7 14:22:29 2025 by llama3.2 3B Q4_K_M
