Atomic MacOS Stealer - Persistence Indicators

Rule Info

Name
Atomic MacOS Stealer - Persistence Indicators
Author
Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
Description
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
Reference
https://moonlock.com/amos-backdoor-persistent-access
Date
2025-11-22 00:00:00
Modified
None
Id
e710a880-1f18-4417-b6a0-b5afdf7e3023
Tags
attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1564.001 attack.t1543.004 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=e710a880-1f18-4417-b6a0-b5afdf7e3023

Rule History

Author
Title
Date
Commit
JasonPhang98
Merge PR #5669 from @JasonPhang98 - Extend Atomic MacOS Stealer - FileGrabber Rules
2025-11-24
bbbfb67ab
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022