This report details an Atomic macOS (AMOS) Stealer infection observed on June 9, 2026. The infection chain begins with malicious advertisements that lead users to a fraudulent Homebrew (Brew) installation page. Victims are instructed to paste malicious commands into their terminal, which initiates the deployment of the stealer malware.
Following execution, the malware establishes persistence and creates specific artifacts within the /tmp directory. The analysis provides associated files including traffic captures (pcaps) and indicators of compromise (IOCs), alongside visual documentation of the malvertising campaign and the terminal-based infection vector.
Top comments (0)