Malware Wiki

Summary: An InfoStealer commonly disguised as legitimate applications
Class: InfoStealer
Class Summary: Infostealers are generally designed as simple malicious programs focused specifically on the the theft of information. Although they might also be able to spy on users, this is not generally their primary goal. They generally execute and immediately look on disk at hardcoded locations for valuable files. These valuable files range from browser data, crypto, keychains and more.
Description: Advertised on Telegram, Atomic Stealer operates as a Malware-as-a-Service with a web interface for attackers. Specializing in info-stealing, it can exfiltrate a range of sensitive data, such as account passwords, browser data, session cookies, and cryptocurrency wallets. Notably, Atomic abuses AppleScript dialog functions to deceive users into providing their credentials. Once the user's password is entered, it pilfers additional sensitive data from the macOS keychain. Distributed under the guise of legitimate applications like Tor Browser, Photoshop CC, Notion, and Microsoft Office, the malware has also been observed being promoted via malvertising on Google Ads.
References: https://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram

https://www.intego.com/mac-security-blog/atomic-stealer-thieving-mac-malware-sold-via-telegram
Example Hashes: 462f596d4f05241096e19d612598723bd8e5f773

VirusTotal