{
  "iim_version": "1.1",
  "chain_id": "medium.2026.atomic-macos-stealer-amos-http-c2",
  "title": "Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints",
  "description": "IIM chain built from an original reverse-engineering report published on 2026-05-31. The report analyzes a Mach-O universal binary associated with Atomic macOS Stealer (AMOS). The sample uses a rolling XOR routine keyed by 7M43mJx9I0GwjslSA2oKSgkqsUo to hide runtime strings, decrypts AppleScript- and shell-based operational commands, performs theft of browser, wallet, keychain, Telegram, Discord, FileZilla, Steam, Notes, and shell-history data, and sends stolen data over plain HTTP to 85.217.222.185 using /static.php and /index.php endpoints. No trustworthy initial-delivery URL, package source, or landing page is published, so the chain starts at the analyzed sample rather than inventing a pre-delivery stage.",
  "actor_id": "unknown",
  "observed_at": "2026-05-31T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "x_source": {
    "title": "Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server",
    "publisher": "Medium",
    "author": "Chandra Kant Bauri",
    "url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
    "published_at": "2026-05-31",
    "accessed_at": "2026-05-31T19:00:18.390040+00:00",
    "source_type": "original malware reverse-engineering report",
    "source_policy": "Only the original Medium analysis was used. No secondary summaries were used for chain content."
  },
  "x_source_title": "Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints",
  "x_source_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
  "x_resource_links_verified": [
    {
      "url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-31T19:00:18.390040+00:00",
      "notes": "Verified article title, publication timing, sample hashes, XOR key, dual HTTP C2 endpoints, theft scope, and AppleScript/evasion behavior."
    }
  ],
  "x_iocs": {
    "sha256": [
      "ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9"
    ],
    "md5": [
      "cad2cd91df26c92ecf246c01276f6c2f"
    ],
    "ips": [
      "85.217.222.185"
    ],
    "urls": [
      "http://85.217.222.185/static.php",
      "http://85.217.222.185/index.php"
    ],
    "files": [
      "Mach-O universal binary"
    ],
    "strings": [
      "7M43mJx9I0GwjslSA2oKSgkqsUo",
      "hy_AM;be_BY;kk_KZ;ru_RU;uk_UA"
    ]
  },
  "x_limitations": [
    "The report provides no confirmed initial delivery URL, fake website, package name, or package repository path. The chain therefore starts at the analyzed sample file rather than inventing a pre-delivery node.",
    "The report mentions developers and unofficial Homebrew-package risk context, but does not publish a concrete malicious Homebrew formula, cask, or package URL. Those are intentionally not modeled.",
    "The report confirms two HTTP C2 endpoints on 85.217.222.185. It does not differentiate one endpoint as a resolver and the other as a final panel, so both are modeled conservatively as c2 endpoints.",
    "Persistence via LaunchAgents is hinted in the article context but not described with a concrete file path or plist name in the published body. No LaunchAgent entity is therefore invented."
  ],
  "entities": [
    {
      "id": "e001",
      "type": "file",
      "value": "Atomic macOS Stealer (AMOS) Mach-O universal binary / ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9",
      "observed_at": "2026-05-31T00:00:00Z",
      "source": "Medium: Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server (2026-05-31)",
      "evidence": [
        "The article identifies the sample as a Mach-O universal binary sized 361.53 KB.",
        "The report publishes SHA-256 ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9 and MD5 cad2cd91df26c92ecf246c01276f6c2f."
      ],
      "x_reference_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
      "x_sha256": "ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9",
      "x_md5": "cad2cd91df26c92ecf246c01276f6c2f",
      "x_architectures": [
        "x86_64",
        "arm64"
      ],
      "x_chain_stage": "analyzed_sample"
    },
    {
      "id": "e002",
      "type": "file",
      "value": "XOR-obfuscated AMOS behavioral/config layer using key 7M43mJx9I0GwjslSA2oKSgkqsUo",
      "observed_at": "2026-05-31T00:00:00Z",
      "source": "Medium: Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server (2026-05-31)",
      "evidence": [
        "The report shows the decryption routine XORing encrypted bytes against the 27-byte key 7M43mJx9I0GwjslSA2oKSgkqsUo.",
        "The analysis states the key is referenced across 21 locations and hides commands, file paths, and URLs."
      ],
      "x_reference_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
      "x_xor_key": "7M43mJx9I0GwjslSA2oKSgkqsUo",
      "x_chain_stage": "internal_string_decryption"
    },
    {
      "id": "e003",
      "type": "file",
      "value": "AMOS collection and evasion runtime (AppleScript Finder move/delete, xattr quarantine removal, osascript mute, bash self-delete)",
      "observed_at": "2026-05-31T00:00:00Z",
      "source": "Medium: Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server (2026-05-31)",
      "evidence": [
        "The report decrypts AppleScript commands that move and delete files through Finder using osascript.",
        "The report documents quarantine removal with xattr, delayed self-deletion through bash, audio muting through osascript, and collection of browser, wallet, keychain, Telegram, Discord, Steam, FileZilla, Notes, and shell-history data."
      ],
      "x_reference_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
      "x_behavioral_commands": [
        "osascript Finder move command template",
        "osascript Finder delete command template",
        "xattr -d com.apple.quarantine \"%s\"",
        "open -a /bin/bash - args -c \"sleep 3; rm -rf '%s'\"",
        "osascript -e 'set volume output muted true'"
      ],
      "x_cis_locale_exclusion": "hy_AM;be_BY;kk_KZ;ru_RU;uk_UA",
      "x_chain_stage": "runtime_collection_and_exfil"
    },
    {
      "id": "e004",
      "type": "url",
      "value": "http://85.217.222.185/static.php",
      "observed_at": "2026-05-31T00:00:00Z",
      "source": "Medium: Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server (2026-05-31)",
      "evidence": [
        "The report states that decrypting a constant yields http://85.217.222.185/static.php.",
        "The article describes this endpoint as a command-and-control endpoint receiving stolen data."
      ],
      "x_reference_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
      "x_ip": "85.217.222.185",
      "x_transport": "HTTP",
      "x_chain_stage": "c2_endpoint"
    },
    {
      "id": "e005",
      "type": "url",
      "value": "http://85.217.222.185/index.php",
      "observed_at": "2026-05-31T00:00:00Z",
      "source": "Medium: Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server (2026-05-31)",
      "evidence": [
        "The report states that a second endpoint extracted from decrypted strings is http://85.217.222.185/index.php.",
        "The article groups this endpoint with the same live C2 server infrastructure on 85.217.222.185."
      ],
      "x_reference_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
      "x_ip": "85.217.222.185",
      "x_transport": "HTTP",
      "x_chain_stage": "c2_endpoint"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e002",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e003",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e004",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e005",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "references",
      "sequence_order": 1,
      "observed_at": "2026-05-31T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The analyzed Mach-O sample contains and uses the XOR-obfuscated string layer.",
        "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211"
      ]
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "execute",
      "sequence_order": 2,
      "observed_at": "2026-05-31T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The decrypted strings reveal the operational AppleScript and shell commands used by the AMOS runtime.",
        "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211"
      ]
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "connect",
      "sequence_order": 3,
      "observed_at": "2026-05-31T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The article identifies static.php on 85.217.222.185 as an active C2 endpoint receiving stolen data.",
        "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211"
      ]
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "connect",
      "sequence_order": 4,
      "observed_at": "2026-05-31T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The article identifies index.php on 85.217.222.185 as a second endpoint extracted from the same AMOS binary.",
        "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211"
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1027",
      "name": "Obfuscated Files or Information",
      "tactic": "Defense Evasion",
      "comment": "Strings are XOR-obfuscated and decrypted at runtime."
    },
    {
      "technique_id": "T1059.002",
      "name": "Command and Scripting Interpreter: AppleScript",
      "tactic": "Execution",
      "comment": "AMOS uses osascript/Finder AppleScript templates for file move and delete operations."
    },
    {
      "technique_id": "T1071.001",
      "name": "Application Layer Protocol: Web Protocols",
      "tactic": "Command and Control",
      "comment": "The sample communicates over plain HTTP with two published endpoints on 85.217.222.185."
    },
    {
      "technique_id": "T1555",
      "name": "Credentials from Password Stores",
      "tactic": "Credential Access",
      "comment": "The report states the stealer targets browser data and Apple Keychain."
    },
    {
      "technique_id": "T1005",
      "name": "Data from Local System",
      "tactic": "Collection",
      "comment": "The report states the sample collects browser data, wallets, Notes, FileZilla data, Telegram, Discord, Steam, and shell history."
    }
  ]
}