Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems.

Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems.

The new component allows executing arbitrary remote commands, it survives reboots, and permits maintaining control over infected hosts indefinitely.

MacPaw's cybersecurity division Moonlock analyzed the backdoor in Atomic malware after a tip from independent researcher g0njxa, a close observer of infostealer activity.
"AMOS malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected," the researchers say.

"The backdoored version of Atomic macOS Stealer now has the potential to gain full access to thousands of Mac devices worldwide."

StealC V2 enhances information stealing, introduces RC4 encryption, and provides a new control panel for more targeted payloads.
StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. A redesigned control panel provides an integrated builder that enables threat actors to customize payload delivery rules based on geolocation, hardware IDs (HWID), and installed software. Additional features include multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials.

This blog post focuses on the recent changes in StealC V2, describing the improvements in payload delivery, encryption, control panel functionality, and the updated communication protocol.

Key Takeaways

• StealC V2, introduced in March 2025, utilizes a JSON-based network protocol with RC4 encryption implemented in recent variants.
• StealC V2 now supports loader options that can deliver Microsoft Software Installer (MSI) packages, and PowerShell scripts.
• The redesigned control panel includes an embedded builder that allows operators to customize payload rules and bot responses based on geolocation, HWID, and installed software.
• StealC V2 includes multi-monitor screenshot capture and a unified file grabber that targets crypto wallets, gaming applications, instant messengers, email clients, VPNs, and browsers. In addition, StealC V2 supports server-side brute-forcing capabilities for credential harvesting.
• ThreatLabz has observed StealC V2 being deployed via Amadey, and conversely, it being used to distribute StealC V2.

Hackers are distributing close to 1,000 web pages mimicking Reddit and the WeTransfer file sharing service that lead to downloading the Lumma Stealer malware.

A large-scale malvertising campaign distributed the Lumma Stealer info-stealing malware through fake CAPTCHA verification pages that prompt users to run PowerShell commands to verify they are not a bot.

Downfall, a fan expansion for the popular Slay the Spire indie strategy game, was breached on Christmas Day to push Epsilon information stealer malware using the Steam update system.