AMOS Malware Campaigns Target macOS Users Through Social Engineering, Researchers Warn
Security researchers are tracking a wave of AMOS malware campaigns targeting macOS systems, warning that the threat continues to spread by exploiting user behaviour rather than relying on advanced technical vulnerabilities.
Atomic macOS Stealer, commonly known as AMOS, has emerged as one of the most persistent information stealing threats affecting Apple computers. According to a Sophos investigation, nearly half of macOS stealer reports examined by its researchers were linked to the AMOS malware family, underscoring its growing role in the macOS threat landscape.
Rather than using sophisticated zero day exploits, AMOS relies heavily on social engineering. In many cases, attackers trick users into opening the Terminal application and manually running malicious commands themselves. Once executed, the malware can attempt to steal sensitive data from the infected device.
A recent incident investigated by Sophos MDR teams highlighted this approach. Researchers identified a ClickFix style tactic, where a victim was persuaded to copy and run a harmful line of code under the belief they were fixing a legitimate issue. This method shifts the attack away from technical compromise and towards psychological manipulation.
Security researchers have observed similar tactics across multiple macOS infostealer campaigns throughout 2025 and early 2026. The trend suggests attackers are increasingly focusing on deception, user urgency and fake troubleshooting prompts to bypass traditional security assumptions.
Sophos reported that AMOS accounted for nearly 40 percent of all macOS protection updates it deployed in 2025, more than double the detection rate of any other macOS malware family. The figure points to the scale of the threat, particularly as cybercriminals continue to treat macOS users as valuable targets for credential theft, financial data and browser stored information.
The rise of AMOS also challenges the long held belief that Apple systems are largely immune to malware. While macOS includes built in security protections, researchers warn that no operating system can fully protect users who are manipulated into authorising malicious activity themselves.
Apple has continued to strengthen its security measures, but the persistence of AMOS shows that attackers are adapting quickly. As technical defences improve, social engineering remains one of the most effective ways to bypass them.
Cybersecurity experts are urging macOS users to treat any instruction to paste commands into Terminal with extreme caution, especially when prompted by a website, pop up, support message or unexpected alert. Users should only run Terminal commands when they fully understand their purpose and trust the source providing them.
The Sophos findings reinforce a clear message for Apple users: modern malware does not always need to break into a device. Sometimes, it only needs to convince the user to open the door.
As AMOS and other social engineering threats continue to target everyday users, the strongest defence is not just better software, it is better awareness. Knowledge is power, and understanding how attackers manipulate people is one of the most effective ways to stop them.
Readers looking to strengthen their cybersecurity defence skills can take the next step with The Hack Academy’s online training programme, designed to help individuals recognise threats, respond with confidence and build practical skills for a safer digital future.
Photo Credit: DepositPhotos.com