The Rise of Infostealers Targeting Apple Users

In a threat landscape historically dominated by Windows-based threats, the growing prevalence of macOS information stealers targeting Apple users is becoming an increasing concern for organizations. Infostealers are a type of malware designed to steal sensitive data from target devices, often enabling attackers to extract credentials and financial data for resale or further exploitation. Recent research identified infostealers as the largest category of new macOS malware, with an alarming 101% increase in the last two quarters of 2024 [1].

What is Atomic Stealer?

Among the most notorious is Atomic macOS Stealer (or AMOS), first observed in 2023. Known for its sophisticated build, Atomic Stealer can exfiltrate a wide range of sensitive information including keychain passwords, cookies, browser data and cryptocurrency wallets.

Originally marketed on Telegram as a Malware-as-a-Service (MaaS), Atomic Stealer has become a popular malware due to its ability to target macOS. Like other MaaS offerings, it includes services like a web panel for managing victims, with reports indicating a monthly subscription cost between $1,000 and $3,000 [2]. Although Atomic Stealer’s original intent was as a standalone MaaS product, its unique capability to target macOS has led to new variants emerging at an unprecedented rate

Even more concerning, the most recent variant has now added a backdoor for persistent access [3]. This backdoor presents a significant threat, as Atomic Stealer campaigns are believed to have reached an around 120 countries. The addition of a backdoor elevates Atomic Stealer to the rare category of backdoor deployments potentially at a global scale, something only previously attributed to nation-state threat actors [4].

This level of sophistication is also evident in the wide range of distribution methods observed since its first appearance; including fake application installers, malvertising and terminal command execution via the ClickFix technique. The ClickFix technique is particularly noteworthy: once the malware is downloaded onto the device, users are presented with what appears to be a legitimate macOS installation prompt. In reality, however, the user unknowingly initiates the execution of the Atomic Stealer malware.

This blog will focus on activity observed across multiple Darktrace customer environments where Atomic Stealer was detected, along with several indicators of compromise (IoCs). These included devices that successfully connected to endpoints associated with Atomic Stealer, those that attempted but failed to establish connections, and instances suggesting potential data exfiltration activity.

Darktrace’s Coverage of Atomic Stealer

As this evolving threat began to spread across the internet in June 2025, Darktrace observed a surge in Atomic Stealer activity, impacting numerous customers in 24 different countries worldwide. Initially, most of the cases detected in 2025 affected Darktrace customers within the Europe, Middle East, and Africa (EMEA) region. However, later in the year, Darktrace began to observe a more even distribution of cases across EMEA, the Americas (AMS), and Asia Pacific (APAC). While multiple sectors were impacted by Atomic Stealer, Darktrace customers in the education sector were the most affected, particularly during September and October, coinciding with the return to school and universities after summer closures. This spike likely reflects increased device usage as students returned and reconnected potentially compromised devices to school and campus environments.

Starting from June, Darktrace detected multiple events of suspicious HTTP activity to external connections to IPs in the range 45.94.47.0/24. Investigation by Darktrace’s Threat Research team revealed several distinct patterns ; HTTP POST requests to the URI “/contact”, identical cURL User Agents and HTTP requests to “/api/tasks/[base64 string]” URIs.

Within one observed customer’s environment in July, Darktrace detected two devices making repeated initiated HTTP connections over port 80 to IPs within the same range. The first, Device A, was observed making GET requests to the IP 45.94.47[.]158 (AS60781 LeaseWeb Netherlands B.V.), targeting the URI “/api/tasks/[base64string]” using the “curl/8.7.2” user agent. This pattern suggested beaconing activity and triggered the ‘Beaconing Activity to External Rare' model alert in Darktrace / NETWORK, with Device A’s Model Event Log showing repeated connections. The IP associated with this endpoint has since been flagged by multiple open-source intelligence (OSINT) vendors as being associated with Atomic Stealer [5].

Darktrace’s Cyber AI Analyst subsequently launched an investigation into the activity, uncovering that the GET requests resulted in a ‘503 Service Unavailable’ response, likely indicating that the server was temporarily unable to process the requests.

This unusual activity prompted Darktrace’s Autonomous Response capability to recommend several blocking actions for the device in an attempt to stop the malicious activity. However, as the customer’s Autonomous Response configuration was set to Human Confirmation Mode, Darktrace was unable to automatically apply these actions. Had Autonomous Response been fully enabled, these connections would have been blocked, likely rendering the malware ineffective at reaching its malicious command-and-control (C2) infrastructure.

In another customer environment in August, Darktrace detected similar IoCs, noting a device establishing a connection to the external endpoint 45.94.47[.]149 (ASN: AS57043 Hostkey B.V.). Shortly after the initial connections, the device was observed making repeated requests to the same destination IP, targeting the URI /api/tasks/[base64string] with the user agent curl/8.7.1, again suggesting beaconing activity. Further analysis of this endpoint after the fact revealed links to Atomic Stealer in OSINT reporting [6].

As with the customer in the first case, had Darktrace’s Autonomous Response been properly configured on the customer’s network, it would have been able to block connectivity with 45.94.47[.]149. Instead, Darktrace suggested recommended actions that the customer’s security team could manually apply to help contain the attack.

In the most recent case observed by Darktrace in October, multiple instances of Atomic Stealer activity were seen across one customer’s environment, with two devices communicating with Atomic Stealer C2 infrastructure. During this incident, one device was observed making an HTTP GET request to the IP 45.94.47[.]149 (ASN: AS60781 LeaseWeb Netherlands B.V.). These connections targeted the URI /api/tasks/[base64string, using the user agent curl/8.7.1.  

Shortly afterward, the device began making repeated connections over port 80 to the same external IP, 45.94.47[.]149. This activity continued for several days until Darktrace detected the device making an HTTP POST request to a new IP, 45.94.47[.]211 (ASN: AS57043 Hostkey B.V.), this time targeting the URI /contact, again using the curl/8.7.1 user agent. Similar to the other IPs observed in beaconing activity, OSINT reporting later linked this one to information stealer C2 infrastructure [7].

Further investigation into this customer’s network revealed that similar activity had been occurring as far back as August, when Darktrace detected data exfiltration on a second device. Cyber AI Analyst identified this device making a single HTTP POST connection to the external IP 45.94.47[.]144, another IP with malicious links [8], using the user agent curl/8.7.1 and targeting the URI /contact.

A deeper investigation into the technical details within the POST request revealed the presence of a file named “out.zip”, suggesting potential data exfiltration.

Similarly, in another environment, Darktrace was able to collect a packet capture (PCAP) of suspected Atomic Stealer activity, which revealed potential indicators of data exfiltration. This included the presence of the “out.zip” file being exfiltrated via an HTTP POST request, along with data that appeared to contain details of an Electrum cryptocurrency wallet and possible passwords.

Read more about Darktrace’s full deep dive into a similar case where this tactic was leveraged by malware as part of an elaborate cryptocurrency scam.

Although recent research attributes the “out.zip” file to a new variant named SHAMOS [9], it has also been linked more broadly to Atomic Stealer [10]. Indeed, this is not the first instance where Darktrace has seen the “out.zip” file in cases involving Atomic Stealer either. In a previous blog detailing a social engineering campaign that targeted cryptocurrency users with the Realst Stealer, the macOS version of Realst contained a binary that was found to be Atomic Stealer, and similar IoCs were identified, including artifacts of data exfiltration such as the “out.zip” file.

Conclusion‍

The rapid rise of Atomic Stealer and its ability to target macOS marks a significant shift in the threat landscape and should serve as a clear warning to Apple users who were traditionally perceived as more secure in a malware ecosystem historically dominated by Windows-based threats.

Atomic Stealer’s growing popularity is now challenging that perception, expanding its reach and accessibility to a broader range of victims. Even more concerning is the emergence of a variant embedded with a backdoor, which is likely to increase its appeal among a diverse range of threat actors. Darktrace’s ability to adapt and detect new tactics and IoCs in real time delivers the proactive defense organizations need to protect themselves against emerging threats before they can gain momentum.

Credit to Isabel Evans (Cyber Analyst), Dylan Hinz (Associate Principal Cyber Analyst)
Edited by Ryan Traill (Analyst Content Lead)

Appendices

References

1.     https://www.scworld.com/news/infostealers-targeting-macos-jumped-by-101-in-second-half-of-2024

2.     https://www.kandji.io/blog/amos-macos-stealer-analysis

3.     https://www.broadcom.com/support/security-center/protection-bulletin/amos-stealer-adds-backdoor

4.     https://moonlock.com/amos-backdoor-persistent-access

5.     https://www.virustotal.com/gui/ip-address/45.94.47.158/detection

6.     https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html

7.     https://www.virustotal.com/gui/ip-address/45.94.47.211/detection

8.     https://www.virustotal.com/gui/ip-address/45.94.47.144/detection

9.     https://securityaffairs.com/181441/malware/over-300-entities-hit-by-a-variant-of-atomic-macos-stealer-in-recent-campaign.html

10.   https://binhex.ninja/malware-analysis-blogs/amos-stealer-atomic-stealer-malware.html

Darktrace Model Detections

Darktrace / NETWORK

• Compromise / Beaconing Activity To External Rare
• Compromise / HTTP Beaconing to New IP
• Compromise / HTTP Beaconing to Rare Destination
• Anomalous Connection / New User Agent to IP Without Hostname
• Device / New User Agent
• Compromise / Sustained TCP Beaconing Activity To Rare Endpoint
• Compromise / Slow Beaconing Activity To External Rare
• Anomalous Connection / Posting HTTP to IP Without Hostname
• Compromise / Quick and Regular Windows HTTP Beaconing

Autonomous Response

• Antigena / Network / Significant Anomaly::Antigena Alerts Over Time Block
• Antigena / Network / Significant Anomaly::Antigena Significant Anomaly from Client Block
• Antigena / Network / External Threat::Antigena Suspicious Activity Block
  
  

List of IoCs

• 45.94.47[.]149 – IP – Atomic C2 Endpoint
• 45.94.47[.]144 – IP – Atomic C2 Endpoint
• 45.94.47[.]158 – IP – Atomic C2 Endpoint
• 45.94.47[.]211 – IP – Atomic C2 Endpoint
• out.zip - File Output – Possible ZIP file for Data Exfiltration

MITRE ATT&CK Mapping:

Tactic –Technique – Sub-Technique

Execution - T1204.002 - User Execution: Malicious File

Credential Access - T1555.001 - Credentials from Password Stores: Keychain

Credential Access - T1555.003 - Credentials from Web Browsers

Command & Control - T1071 - Application Layer Protocol

Exfiltration - T1041 - Exfiltration Over C2 Channel

A new era of reputation-aware, unified email security

Darktrace / EMAIL is redefining email defense with new innovations that close email security silos and empower SOC teams to stop multi-stage attacks – without disrupting business operations.  

By extending visibility across interconnected domains, Darktrace catches the 17% of threats that leading SEGs miss, including multi-stage attacks like email bombing and cloud platform abuse. Its label-free behavioral DLP protects sensitive data without reliance on manual rules or classification, while DMARC strengthens brand trust and authenticity. With native integrations for Microsoft Defender and Security Copilot, SOC teams can now investigate and respond faster, reducing risk and maintaining operational continuity across the enterprise.

Summary of what’s new:

• Cross-domain AI-native detection unifying email, identity, and SaaS
• Label-free behavioral DLP for effortless data protection
• Microsoft Defender and Security Copilot integrations for streamlined investigation and response

Why email security must evolve

Today’s attacks don’t stop at the inbox. They move across domains – email to identity, SaaS, and network – exploiting the blind spots between disconnected tools. Yet most email security solutions still operate in isolation, unable to see or respond beyond the message itself.

In 2024, Darktrace detected over 30 million phishing attempts: 38% targeting high-value individuals and almost a third using novel social engineering, including AI-generated text. Generative AI is amplifying the realism and scale of social engineering, while customers face a wave of new techniques like email bombing, where attackers flood inboxes to distract or manipulate users, and polymorphic malware, which continuously evolves to evade static defenses.

Meanwhile, defenders are exposed to traditional DLP tools that create operational drag with high false positives and rigid policies. Accidental insider breachers remain a major risk to organizations: 6% of all data breaches are caused by misdelivery, and 95% of those incidents involve personal data.

Tool sprawl compounds the issue. The average enterprise manages around 75 security products, and 69% report operational strain as a result. This complexity is counterproductive – and with legacy SEGs failing to adapt to detect threats that exploit human behavior, analysts are left juggling an unwieldy patchwork of fragmented defenses.

The bottom line? Siloed email defenses can’t keep pace with today’s AI-driven, cross domain attacks.

Beyond detection: AI built for modern threats

Darktrace / EMAIL is uniquely designed to catch the threats SEGs miss, powered by Self-Learning AI. It learns the communication patterns of every user – correlating behavioral signals from email, identity, and SaaS – to identify the subtle, context-driven deviations that define advanced social engineering and supply chain attacks.

Unlike tools that rely on static rules or historical attack data, Darktrace’s AI assumes a zero trust posture, treating every interaction as a potential risk. It detects novel threats in real time, including those that exploit trusted relationships or mimic legitimate business processes. And because Darktrace’s technology is natively unified, it delivers precise, coordinated responses that neutralize threats in real time.

Powerful innovations to Darktrace / EMAIL

Improved, multi-domain threat detection and response

With this update, Darktrace reveals multi-domain detection linking behavioral signals across email, identity, and SaaS to uncover advanced attacks. Darktrace leverages its existing agentic platform to understand behavioral deviations in any communication channel and take precise actions regardless of the domain.  

This innovation enables customers to:

• Correlate behavioral signals across domains to expose cross-channel threats and enable coordinated response
• Link email and identity intelligence to neutralize multi-stage attacks, including advanced email bombing campaigns

Detection accuracy is further strengthened through layering with traditional threat intelligence:

• Integrated antivirus verdicts improve detection efficacy by adding traditional file scanning
• Structured threat intelligence (STIX/TAXII) enriches alerts with global context for faster triage and prioritization

Expanded ecosystem visibility also includes:

• Salesforce integration, enabling automatic action on potentially malicious tickets auto-created from emails – accelerating threat response and reducing manual burden

Advancements in label-free DLP

Darktrace is delivering the industry’s first label-free data loss prevention (DLP) solution powered by a proprietary domain specific language model (DSLM).  

This update expands DLP to protect against both secrets and personally identifiable information (PII), safeguarding sensitive data without relying on status rules or manual classification. The DSLM is tuned for email/DLP semantics so it understands entities, PII patterns, and message context quickly enough to enforce at send time.

Key enhancements include:

• Behaviorally enhanced PII detection that automatically defines over 35+ new categories, including personal, financial, and health data  
• Added detail to DLP alerts in the UI, showing exactly how and when DLP policies were applied
• Enhanced Cyber AI Analyst narratives to explain detection logic, making it easier to investigate and escalate incidents

And for further confidence in outbound mail, discover new updates to DMARC, with support for BIMI logo verification, automatic detection of both MTA-STS and TLS records, and data exports for deeper analysis and reporting. Accessible for all organizations, available now on the Azure marketplace.

Streamlined SOC workflows, with Microsoft-native integrations

This update introduces new integrations that simplify SOC operations, unify visibility, and accelerate response. By embedding directly into the Microsoft ecosystem – with Defender and Security Copilot – analysts gain instant access to correlated insights without switching consoles.

New innovations include:

• Unified quarantine management with Microsoft Defender, centralizing containment within the native Microsoft interface and eliminating console hopping
• Ability to surface threat insights directly in Copilot via the Darktrace Email Analysis Agent, eliminating data hunting and simplifying investigations
• Automatic ticket creation in JIRA when users report suspicious messages
• Sandbox analysis integration, enabling payload inspection in isolated environments directly from the Darktrace UI

Committed to innovation

These updates are part of the broader Darktrace release, which also included:

1. Major innovations in cloud security with the launch of the industry’s first fully automated cloud forensics solution, reinforcing Darktrace’s leadership in AI-native security.
2. Redefining NDR with industry-first autonomous threat investigation from network to endpoint  
3. Innovations to our suite of Exposure Management & Attack Surface Management tools

As attackers exploit gaps between tools, the Darktrace ActiveAI Security Platform delivers unified detection, automated investigation, and autonomous response across cloud, endpoint, email, network, and OT. With full-stack visibility and AI-native workflows, Darktrace empowers security teams to detect, understand, and stop novel threats before they escalate.

Join our Live Launch Event

When? December 9, 2025

What will be covered? Join our live broadcast to experience how Darktrace is eliminating blind spots for detection and response across your complete enterprise with new innovations in Agentic AI across our ActiveAI Security platform. Industry leaders from IDC will join Darktrace customers to discuss challenges in cross-domain security, with a live walkthrough reshaping the future of Network Detection & Response, Endpoint Detection & Response, Email Security, and SecOps in novel threat detection and autonomous investigations.