Atomic macOS Stealer (AMOS), a notorious data-theft malware previously distributed through cracked software, has adopted a new and concerning delivery method: malicious OpenClaw skills. This shift repurposes extensions for AI agent platforms into a vector for infecting macOS users. AMOS is a malware-as-a-service (MaaS) tool designed to pilfer sensitive information from Apple devices, including credentials, browser data, cryptocurrency wallet details, and files from user directories.
Security researchers at Trend Micro have identified a novel AMOS variant embedded within these malicious OpenClaw skills. Threat actors have actively uploaded numerous compromised skills across various code repositories, including GitHub, indicating a widespread campaign. This evolution represents a significant departure from previous AMOS distribution techniques and introduces a new form of supply chain attack targeting the expanding ecosystem of AI agent workflows.
New AMOS Infection Chain Leverages OpenClaw Skills
The infection process begins with a seemingly innocuous SKILL.md file. This file instructs an AI agent to download and install a fabricated prerequisite named “OpenClawCLI” from a malicious external website. The behavior of the AI agent varies depending on its sophistication.
Less advanced models, such as GPT-4o, may proceed with the installation silently or repeatedly prompt the user to manually install the fake “driver.” In contrast, more capable models like Claude Opus 4.5 are more likely to identify the skill as suspicious and refuse to execute the command. This highlights a critical difference in AI agent security awareness.
Should the user or a less discerning AI agent proceed, a Base64-encoded command is fetched and executed. This command deploys a Mach-O universal binary, capable of running on both Intel-based and Apple Silicon Mac machines. When macOS detects the unsigned file, a deceptive password dialog box materializes, tricking the user into entering their system password. This entry grants the AMOS malware the necessary privileges to operate.
Inside the AMOS Infection Chain
Once the user’s password has been obtained, the AMOS stealer immediately begins its data harvesting operations. It systematically collects the machine’s username and password, along with files from common locations like the Desktop, Downloads, and Documents folders. The malware is designed to exfiltrate various file formats, including .pdf, .csv, .kdbx, and .docx.
Additionally, AMOS targets sensitive information stored within Apple keychain credentials and Apple Notes. The malware shows a broad scope of compromise, aiming to steal data from 19 different browsers, including stored cookies, passwords, and credit card details. It also demonstrates the capability to access information from over 150 different cryptocurrency wallets.
All the exfiltrated data is aggregated, compressed into a ZIP archive, and subsequently transmitted to a command-and-control (C&C) server located at socifiapp[.]com. This method of data exfiltration is typical for such malware operations.
Recommendations and Indicators of Compromise
To mitigate the risk of AMOS infections via OpenClaw skills, users are strongly advised to exercise caution. It is crucial to verify the source of any OpenClaw skill before executing it. Users should also refrain from entering system passwords when prompted by unfamiliar tools or applications. Employing an isolated testing environment for unvalidated skills is recommended, and utilizing containers can help limit the execution scope of AI agents.
The identified Indicators of Compromise (IoCs) associated with this campaign include the malicious skill delivery site `openclawcli[.]vercel[.]app`, the payload download server IP address `91.92.242[.]30`, and a specific payload download URL `hxxp://91.92.242[.]30/ece0f208u7uqhs6x`. The detected AMOS payload is a Mach-O universal binary identified by the filename `il24xgriequcys45`. The command-and-control exfiltration endpoint is `socifiapp[.]com`, and the malware detection name provided by security vendors is `Trojan.MacOS.Amos`.
The ongoing evolution of AMOS and its adoption of new, sophisticated delivery vectors like malicious AI agent skills highlight the dynamic nature of cyber threats. The success of future campaigns will likely depend on the continued vigilance of users and the development of more robust AI agent security protocols. The cybersecurity community will be closely monitoring repositories for further instances of compromised AI agent extensions.