medium.2026.atomic-macos-stealer-amos-http-c2
Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints
IIM chain built from an original reverse-engineering report published on 2026-05-31. The report analyzes a Mach-O universal binary associated with Atomic macOS Stealer (AMOS). The sample uses a rolling XOR routine keyed by 7M43mJx9I0GwjslSA2oKSgkqsUo to hide runtime strings, decrypts AppleScript- and shell-based operational commands, performs theft of browser, wallet, keychain, Telegram, Discord, FileZilla, Steam, Notes, and shell-history data, and sends stolen data over plain HTTP to 85.217.222.185 using /static.php and /index.php endpoints. No trustworthy initial-delivery URL, package source, or landing page is published, so the chain starts at the analyzed sample rather than inventing a pre-delivery stage.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsfile
Atomic macOS Stealer (AMOS) Mach-O universal binary / ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9
file
XOR-obfuscated AMOS behavioral/config layer using key 7M43mJx9I0GwjslSA2oKSgkqsUo
file
AMOS collection and evasion runtime (AppleScript Finder move/delete, xattr quarantine removal, osascript mute, bash self-delete)
url
http://85.217.222.185/static.php
url
http://85.217.222.185/index.php
Relations
directed infrastructure edgese001referencese002
confirmed
e002executee003
confirmed
e003connecte004
confirmed
e003connecte005
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
file | Atomic macOS Stealer (AMOS) Mach-O universal binary / ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9 |
The article identifies the sample as a Mach-O universal binary sized 361.53 KB. The report publishes SHA-256 ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9 and MD5 cad2cd91df26c92ecf246c01276f6c2f. |
e002 |
file | XOR-obfuscated AMOS behavioral/config layer using key 7M43mJx9I0GwjslSA2oKSgkqsUo |
The report shows the decryption routine XORing encrypted bytes against the 27-byte key 7M43mJx9I0GwjslSA2oKSgkqsUo. The analysis states the key is referenced across 21 locations and hides commands, file paths, and URLs. |
e003 |
file | AMOS collection and evasion runtime (AppleScript Finder move/delete, xattr quarantine removal, osascript mute, bash self-delete) |
The report decrypts AppleScript commands that move and delete files through Finder using osascript. The report documents quarantine removal with xattr, delayed self-deletion through bash, audio muting through osascript, and collection of browser, wallet, keychain, Telegram, Discord, Steam, FileZilla, Notes, and shell-history data. |
e004 |
url | http://85.217.222.185/static.php |
The report states that decrypting a constant yields http://85.217.222.185/static.php. The article describes this endpoint as a command-and-control endpoint receiving stolen data. |
e005 |
url | http://85.217.222.185/index.php |
The report states that a second endpoint extracted from decrypted strings is http://85.217.222.185/index.php. The article groups this endpoint with the same live C2 server infrastructure on 85.217.222.185. |
ATT&CK annotations
optional complementary mappingStrings are XOR-obfuscated and decrypted at runtime.
AMOS uses osascript/Finder AppleScript templates for file move and delete operations.
The sample communicates over plain HTTP with two published endpoints on 85.217.222.185.
The report states the stealer targets browser data and Apple Keychain.
The report states the sample collects browser data, wallets, Notes, FileZilla data, Telegram, Discord, Steam, and shell history.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "medium.2026.atomic-macos-stealer-amos-http-c2",
"title": "Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints",
"description": "IIM chain built from an original reverse-engineering report published on 2026-05-31. The report analyzes a Mach-O universal binary associated with Atomic macOS Stealer (AMOS). The sample uses a rolling XOR routine keyed by 7M43mJx9I0GwjslSA2oKSgkqsUo to hide runtime strings, decrypts AppleScript- and shell-based operational commands, performs theft of browser, wallet, keychain, Telegram, Discord, FileZilla, Steam, Notes, and shell-history data, and sends stolen data over plain HTTP to 85.217.222.185 using /static.php and /index.php endpoints. No trustworthy initial-delivery URL, package source, or landing page is published, so the chain starts at the analyzed sample rather than inventing a pre-delivery stage.",
"actor_id": "unknown",
"observed_at": "2026-05-31T00:00:00Z",
"confidence": "confirmed",
"needs_review": false,
"import_source": "manual-osint-report-to-iim-conversion",
"x_source": {
"title": "Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server",
"publisher": "Medium",
"author": "Chandra Kant Bauri",
"url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
"published_at": "2026-05-31",
"accessed_at": "2026-05-31T19:00:18.390040+00:00",
"source_type": "original malware reverse-engineering report",
"source_policy": "Only the original Medium analysis was used. No secondary summaries were used for chain content."
},
"x_source_title": "Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints",
"x_source_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
"x_resource_links_verified": [
{
"url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
"status": "opened via web retrieval",
"verified_at": "2026-05-31T19:00:18.390040+00:00",
"notes": "Verified article title, publication timing, sample hashes, XOR key, dual HTTP C2 endpoints, theft scope, and AppleScript/evasion behavior."
}
],
"x_iocs": {
"sha256": [
"ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9"
],
"md5": [
"cad2cd91df26c92ecf246c01276f6c2f"
],
"ips": [
"85.217.222.185"
],
"urls": [
"http://85.217.222.185/static.php",
"http://85.217.222.185/index.php"
],
"files": [
"Mach-O universal binary"
],
"strings": [
"7M43mJx9I0GwjslSA2oKSgkqsUo",
"hy_AM;be_BY;kk_KZ;ru_RU;uk_UA"
]
},
"x_limitations": [
"The report provides no confirmed initial delivery URL, fake website, package name, or package repository path. The chain therefore starts at the analyzed sample file rather than inventing a pre-delivery node.",
"The report mentions developers and unofficial Homebrew-package risk context, but does not publish a concrete malicious Homebrew formula, cask, or package URL. Those are intentionally not modeled.",
"The report confirms two HTTP C2 endpoints on 85.217.222.185. It does not differentiate one endpoint as a resolver and the other as a final panel, so both are modeled conservatively as c2 endpoints.",
"Persistence via LaunchAgents is hinted in the article context but not described with a concrete file path or plist name in the published body. No LaunchAgent entity is therefore invented."
],
"entities": [
{
"id": "e001",
"type": "file",
"value": "Atomic macOS Stealer (AMOS) Mach-O universal binary / ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9",
"observed_at": "2026-05-31T00:00:00Z",
"source": "Medium: Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server (2026-05-31)",
"evidence": [
"The article identifies the sample as a Mach-O universal binary sized 361.53 KB.",
"The report publishes SHA-256 ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9 and MD5 cad2cd91df26c92ecf246c01276f6c2f."
],
"x_reference_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
"x_sha256": "ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9",
"x_md5": "cad2cd91df26c92ecf246c01276f6c2f",
"x_architectures": [
"x86_64",
"arm64"
],
"x_chain_stage": "analyzed_sample"
},
{
"id": "e002",
"type": "file",
"value": "XOR-obfuscated AMOS behavioral/config layer using key 7M43mJx9I0GwjslSA2oKSgkqsUo",
"observed_at": "2026-05-31T00:00:00Z",
"source": "Medium: Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server (2026-05-31)",
"evidence": [
"The report shows the decryption routine XORing encrypted bytes against the 27-byte key 7M43mJx9I0GwjslSA2oKSgkqsUo.",
"The analysis states the key is referenced across 21 locations and hides commands, file paths, and URLs."
],
"x_reference_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
"x_xor_key": "7M43mJx9I0GwjslSA2oKSgkqsUo",
"x_chain_stage": "internal_string_decryption"
},
{
"id": "e003",
"type": "file",
"value": "AMOS collection and evasion runtime (AppleScript Finder move/delete, xattr quarantine removal, osascript mute, bash self-delete)",
"observed_at": "2026-05-31T00:00:00Z",
"source": "Medium: Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server (2026-05-31)",
"evidence": [
"The report decrypts AppleScript commands that move and delete files through Finder using osascript.",
"The report documents quarantine removal with xattr, delayed self-deletion through bash, audio muting through osascript, and collection of browser, wallet, keychain, Telegram, Discord, Steam, FileZilla, Notes, and shell-history data."
],
"x_reference_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
"x_behavioral_commands": [
"osascript Finder move command template",
"osascript Finder delete command template",
"xattr -d com.apple.quarantine \"%s\"",
"open -a /bin/bash - args -c \"sleep 3; rm -rf '%s'\"",
"osascript -e 'set volume output muted true'"
],
"x_cis_locale_exclusion": "hy_AM;be_BY;kk_KZ;ru_RU;uk_UA",
"x_chain_stage": "runtime_collection_and_exfil"
},
{
"id": "e004",
"type": "url",
"value": "http://85.217.222.185/static.php",
"observed_at": "2026-05-31T00:00:00Z",
"source": "Medium: Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server (2026-05-31)",
"evidence": [
"The report states that decrypting a constant yields http://85.217.222.185/static.php.",
"The article describes this endpoint as a command-and-control endpoint receiving stolen data."
],
"x_reference_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
"x_ip": "85.217.222.185",
"x_transport": "HTTP",
"x_chain_stage": "c2_endpoint"
},
{
"id": "e005",
"type": "url",
"value": "http://85.217.222.185/index.php",
"observed_at": "2026-05-31T00:00:00Z",
"source": "Medium: Reverse Engineering Atomic macOS Stealer (AMOS): From XOR Cipher to C2 Server (2026-05-31)",
"evidence": [
"The report states that a second endpoint extracted from decrypted strings is http://85.217.222.185/index.php.",
"The article groups this endpoint with the same live C2 server infrastructure on 85.217.222.185."
],
"x_reference_url": "https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211",
"x_ip": "85.217.222.185",
"x_transport": "HTTP",
"x_chain_stage": "c2_endpoint"
}
],
"chain": [
{
"entity_id": "e001",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e002",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e003",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e004",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e005",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
}
],
"relations": [
{
"from": "e001",
"to": "e002",
"type": "references",
"sequence_order": 1,
"observed_at": "2026-05-31T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"The analyzed Mach-O sample contains and uses the XOR-obfuscated string layer.",
"https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211"
]
},
{
"from": "e002",
"to": "e003",
"type": "execute",
"sequence_order": 2,
"observed_at": "2026-05-31T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"The decrypted strings reveal the operational AppleScript and shell commands used by the AMOS runtime.",
"https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211"
]
},
{
"from": "e003",
"to": "e004",
"type": "connect",
"sequence_order": 3,
"observed_at": "2026-05-31T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"The article identifies static.php on 85.217.222.185 as an active C2 endpoint receiving stolen data.",
"https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211"
]
},
{
"from": "e003",
"to": "e005",
"type": "connect",
"sequence_order": 4,
"observed_at": "2026-05-31T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"The article identifies index.php on 85.217.222.185 as a second endpoint extracted from the same AMOS binary.",
"https://medium.com/%40ckant/reverse-engineering-atomic-macos-stealer-amos-from-xor-cipher-to-c2-server-355ef51b1211"
]
}
],
"attack_annotations": [
{
"technique_id": "T1027",
"name": "Obfuscated Files or Information",
"tactic": "Defense Evasion",
"comment": "Strings are XOR-obfuscated and decrypted at runtime."
},
{
"technique_id": "T1059.002",
"name": "Command and Scripting Interpreter: AppleScript",
"tactic": "Execution",
"comment": "AMOS uses osascript/Finder AppleScript templates for file move and delete operations."
},
{
"technique_id": "T1071.001",
"name": "Application Layer Protocol: Web Protocols",
"tactic": "Command and Control",
"comment": "The sample communicates over plain HTTP with two published endpoints on 85.217.222.185."
},
{
"technique_id": "T1555",
"name": "Credentials from Password Stores",
"tactic": "Credential Access",
"comment": "The report states the stealer targets browser data and Apple Keychain."
},
{
"technique_id": "T1005",
"name": "Data from Local System",
"tactic": "Collection",
"comment": "The report states the sample collects browser data, wallets, Notes, FileZilla data, Telegram, Discord, Steam, and shell history."
}
]
}