FacebookTwitterLinkedIn

How to remove the Atomic stealer-type malware from your operating system

Also Known As: Atomic malware
Type: Mac Virus
Damage level: Severe

What kind of malware Atomic?

Atomic, also known as Atomic macOS Stealer (AMOS), is a malicious program targeting Mac OSes (Operating Systems). It is classified as a stealer – a type of malware that extracts and exfiltrates information from infected devices. At the time of writing, Atomic is actively sold on Telegram.

Atomic malware displayed pop-up requesting user to enter the system password

Atomic malware overview

Once we executed a sample of the Atomic stealer on our test machine, it displayed a fake pop-up window requesting access to System Preferences and prompting the user to enter their password. With this social engineering technique, the malware acquires its first bit of information (i.e., system password).

Afterwards, this stealer begins collecting relevant device data, e.g., Mac model name, UUID, CPU, RAM, OS version, and so on. Atomic can obtain a wide variety of information from compromised devices. This malware requests permission to access the Desktop and Documents, from which it can then download victims' files.

The stealer can also extract data from Keychain – the Mac password management system. Keychain can be used to store Wi-Fi credentials, website and FTP usernames/passwords, credit card details, etc.

Atomic steals information from browsers as well, including Google Chrome, Mozilla Firefox, Microsoft Edge, and others (full list). From browsers, this malware can acquire browsing data, Internet cookies, autofills, log-in credentials (i.e., IDs, usernames, email addresses, passwords, passphrases, etc.), credit card numbers, and so forth.

This stealer also targets cryptowallets and cryptocurrency-related browser extensions (full list). For example, Atomic can brute-force MetaMask seeds and private keys.

To summarize, the presence of software like Atomic on devices can result in severe privacy issues, significant financial losses, and even identity theft.

If you suspect that your Mac is infected with the Atomic stealer (or other malware) – immediately use an anti-virus to eliminate it without delay.

Threat Summary:
Name Atomic malware
Threat Type Mac malware, Mac virus, Stealer
Detection Names Avast (MacOS:Agent-YR [Trj]), Combo Cleaner (Gen:Variant.Trojan.MAC.Stealer.3), ESET-NOD32 (OSX/PSW.Agent.J), Kaspersky (UDS:DangerousObject.Multi.Generic), Full List Of Detections (VirusTotal)
Symptoms Malicious programs are usually designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Distribution Methods Free software installers (bundling), infected email attachments, 'crack' software websites, social engineering, deceptive pop-up ads.
Damage Stolen passwords and cryptocurrency wallets, identity theft.
Malware Removal (Mac)

To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner for Mac
To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Malware in general

We have analyzed numerous malicious programs; RustBucketMacStealer, KEYSTEAL, and GIMMICK are merely a few examples of malware that targets Mac OSes.

In most cases, malicious software is used to generate revenue – however, how it achieves the goal can vary drastically. Malware can have a wide range of functionalities, which can be in different combinations.

Regardless of how this software operates – its presence on a system endangers device integrity and user safety. Therefore, we strongly advise removing all threats immediately upon detection.

How did Atomic malware infiltrate my computer?

The Atomic stealer is sold on Telegram; hence, how it is distributed depends on the cyber criminals using it at the time. Generally, malware is proliferated using phishing and social engineering techniques.

Malicious software is usually disguised as or bundled with regular programs/media. When an infectious file is executed, run, or otherwise open – the infection chain (i.e., malware download/installation) is triggered.

The most commonly used distribution methods include: drive-by (stealthy/deceptive) downloads, malicious attachments and links in spam mail (e.g., emails, PMs/DMs, SMSes, etc.), online scams, dubious download sources (e.g., freeware and third-party websites, Peer-to-Peer sharing networks, etc.), malvertising, illegal software activation ("cracking") tools, and fake updates.

How to avoid installation of malware?

We highly recommend downloading only from official and verified channels. Additionally, all programs must be activated and updated using legitimate functions/tools, as illegal activation tools ("cracks") and third-party updaters can contain malware.

Another recommendation is to treat incoming emails and other messages with caution. The attachments or links found in suspect/irrelevant mail must not be opened, as they can be virulent. We advise being vigilant while browsing since fake and malicious online content usually appears ordinary and innocuous.

It is paramount to have a reputable anti-virus installed and kept up-to-date. Security software must be used to run regular system scans and to remove detected threats. If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate threats.

Screenshot of a deceptive website spreading Atomic stealer:

Deceptive website promoting Atomic stealer

Screenshots of various applications used as a disguise for Atomic stealer:

CardGame:

Atomic Stealer disguising as CardGame

Adobe Photoshop CC 2023:

Atomic stealer disguising as Adobe Photoshop CC 2023

Atomic stealer malware sold on Telegram:

Atomic stealer promotion on Telegram

List of browsers targeted by Atomic stealer:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Opera
  • OperaGX
  • Brave
  • Vivaldi
  • Yandex

List of cryptocurrency wallets and extensions targeted by Atomic stealer:

Atomic, Binance, Coinomi, Electrum, Exodus, Auro, BinanceChain, Byone, CLW, Coin98 Wallet, Coinbase, CWallet, Cyano, Crypto Airdrops & Bounties, DAppPlay, EVER Wallet, Exodus Web3 Wallet, Finnie, Flint Wallet, Freaks Axie, Guarda, Harmony Wallet, Hycon Lite Client, ICONex, iWallet, Jaxx Liberty, KardiaChain, Keplr, KHC, LeafWallet, Liquality, Martian Wallet for Sui & Aptos, Math Wallet, MetaMask, MewCx, Nabox, NeoLine, Oasis, Oxygen, Phantom, Polymesh, Rabby Wallet, Ronin, Slope, Starcoin, Station Wallet, Swash, Temple Wallet, TezBox, TON, Trezor Password Manager, TronLink, Tron Explorer, Trust Wallet, Wombat, XDCPay, XDEFI, Yoroi, ZilPay.

Update November 22, 2023 - Cyber criminals have recently started spreading Atomic stealer via malicious websites disguising as various browser updates (such as Safari, Google Chrome, or other).

Screenshot of a fake Google Chrome update page spreading Atomic stealer:

Fake Google Chrome update used to spread Atomic stealer

Screenshot of a fake Safari update page spreading Atomic stealer:

Fake Safari update used to spread Atomic stealer

Screenshot of a fake Grand Theft Auto (GTA) 6 download website (alphagta6[.]com) spreading Atomic stealer:

Fake Grand Theft Auto (GTA) 6 download website (alphagta6[.]com) spreading Atomic stealer

Screenshot of a Twitter (X) post promoting this site:

Twitter post promoting a fake Grand Theft Auto (GTA) 6 download website (alphagta6[.]com) spreading Atomic stealer

Update January 17, 2024: The infostealers targeting macOS, namely KEYSTEAL, Atomic, and JaskaGo, underscore the persistent and adaptive nature of cybersecurity threats. Despite Apple's proactive measures, these malware variants exhibit continuous evolution, employing tactics such as code signature alterations, distribution method changes, and shifts in malicious behavior.

The threat landscape is characterized by the ability of these infostealers to evade static signature detection engines, emphasizing the importance of dynamic and advanced threat hunting techniques.

Update March 4, 2024: Recently, a new variant of the Atomic stealer has been uncovered. This updated version utilizes a Python script to maintain stealth and avoid detection. This variant has remained largely unnoticed, prompting the release of Indicators of Compromise to aid detection and mitigation efforts.

Notably, this variant has similarities in code with the RustDoor backdoor. The primary function of this malware is to extract sensitive data stored within browsers and specific system files, along with attempting to steal local user account passwords.

It achieves its objectives through a combination of Python and Apple Script code. Additionally, the malware appears to employ tactics to identify sandbox or emulator environments, further complicating detection measures.

Update May 16, 2024 - Atomic Stealer has been recently observed being distributed via fake Homebrew download websites. The genuine Homebrew website is brew.sh, meaning that all other domains promoting this app should not be trusted. The same distribution method is also used to spread Cuckoo stealer.

Screenshot of a fake Homebrew download website (rectanglemac[.]pro) used to spread Atomic Stealer:

Fake Homebrew download website spreading Atomic Stealer

Update July 18, 2024 – new distribution method for Atomic has been discovered. This stealer is proliferated via a malvertising campaign under the guise of a Microsoft Teams app for Mac. The promotion is held by abusing the Google Ads service; when users enter a query related to "Microsoft Teams", they are presented with a malicious advertisement as one of the topmost Google search results.

Clicking on the ad causes a multi-stage redirect that lands on a malicious page, which continues the charade of offering Microsoft Teams for Mac. Through a filtering system, only genuine users (excluding bots, etc.) are allowed to access the site. The downloaded installer (containing Atomic) is generated with a different filename and size each time.

The setup requests installation via right-click, thus evading protection measures against unsigned installers. Following successful installation, Atomic stealer proceeds to ask permissions and the system password, as described in the article above.

Instant automatic Mac malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

Video showing how to remove adware and browser hijackers from a Mac computer:

Potentially unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

Manual removal of malicious Mac applications

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Remove adware-related files and folders

Mac Go To Folder step

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...

Mac removing related files and folders - step 1Check for adware generated files in the /Library/LaunchAgents/ folder:

Mac go to /Library/LaunchAgents - step 1

In the Go to Folder... bar, type: /Library/LaunchAgents/

Mac go to /Library/LaunchAgents - step 2

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Mac removing related files and folders - step 2Check for adware generated files in the ~/Library/Application Support/ folder:

Mac go to /Library/Application Support - step 1

In the Go to Folder... bar, type: ~/Library/Application Support/

Mac go to /Library/Application Support - step 2

In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.

Mac removing related files and folders - step 3Check for adware generated files in the ~/Library/LaunchAgents/ folder:

Mac go to ~/Library/LaunchAgents - step 1

In the Go to Folder... bar, type: ~/Library/LaunchAgents/

Mac go to ~/Library/LaunchAgents - step 2

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Mac removing related files and folders - step 4Check for adware generated files in the /Library/LaunchDaemons/ folder:

Mac go to /Library/LaunchDaemons - step 1

In the "Go to Folder..." bar, type: /Library/LaunchDaemons/

Mac go to /Library/LaunchDaemons - step 2

In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.

Mac removing malware related files and folders - step 5Scan your Mac with Combo Cleaner:

If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.

Mac remove malware with Combo Cleaner - step 1

Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.

Mac remove malware with Combo Cleaner - step 2

After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

Remove malicious extensions from Internet browsers

Safari iconRemove malicious Safari extensions:

Removal of malicious extensions in Safari - step 1

Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".

Removal of malicious extensions in Safari - step 2

In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.

Google Chrome logoRemove malicious extensions from Google Chrome:

Removal of malicious extensions in Google Chrome - step 1

Click the Chrome menu icon Google Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".

Removal of malicious extensions in Google Chrome - step 2

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.

Mozilla Firefox logoRemove malicious extensions from Mozilla Firefox:

Removal of malicious extensions in Mozilla Firefox - step 1

Click the Firefox menu firefox menu icon (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".

Removal of malicious extensions in Mozilla Firefox - step 2

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.

Frequently Asked Questions (FAQ)

My computer is infected with Atomic malware, should I format my storage device to get rid of it?

No, most malicious programs can be removed without formatting.

What are the biggest issues that Atomic malware can cause?

The threats posed by malware depend on its capabilities and the cyber criminals' aims. Atomic is a stealer – a type of program designed to extract and exfiltrate information from infected systems. Typically, infections of this kind can lead to severe privacy issues, financial losses, and identity theft.

What is the purpose of Atomic malware?

In most cases, malware is used for profit. However, this software can also be used for the cyber criminals' amusement or to disrupt processes (e.g., websites, services, companies, etc.). Furthermore, malware attacks may be motivated by personal vendettas or political/geopolitical reasons.

How did Atomic malware infiltrate my computer?

Malware is primarily spread through drive-by downloads, dubious download channels (e.g., freeware and free file-hosting sites, P2P sharing networks, etc.), spam emails and messages, online scams, malvertising, illegal program activation tools ("cracks"), and fake updates. What is more, some malicious programs can self-proliferate via local networks and removable storage devices (e.g., external hard drives, USB flash drives, etc.).

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner is designed to detect and eliminate threats. It is capable of removing practically all known malware infections. Note that performing a complete system scan is essential since sophisticated malicious software typically hides deep within systems.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Atomic malware QR code
Scan this QR code to have an easy access removal guide of Atomic malware on your mobile device.
We Recommend:

Get rid of Mac malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner for Mac

Platform: macOS

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.