MacOS FileGrabber Infostealer

Rule Info

Name
MacOS FileGrabber Infostealer
Author
Jason Phang Vern - Onn (Gen Digital)
Description
Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.
Reference
https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
Date
2025-09-12 00:00:00
Modified
None
Id
e710a880-1f18-4417-b6a0-b5afdf7e305a
Tags
attack.execution attack.t1059.002 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=e710a880-1f18-4417-b6a0-b5afdf7e305a

Rule History

Author
Title
Date
Commit
JasonPhang98
Merge PR #5647 from @ JasonPhang98 - MacOS FileGrabber Infostealer
2025-10-01
c9fd8a666
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022