Fully undetected Shell Script dropping macOS Atomic Stealer

04 February 2025

VMRay Labs found a DMG file containing a malicious Shell Script used to download and execute Atomic Stealer remained fully undetected on VirusTotal for two days.

The Shell Script applies basic obfuscation via encoding and shows strong indicators to be AI generated due to its comments, proper error handling, and logging.

While the stealer capability is mainly written in AppleScript, the loader component is shipped as a universal Mach-O binary, targeting both, x86- and ARM-based systems.

0 / 60 detections on VirusTotal
on February 3rd 2025

In a nutshell:

No detections on VT for two days (6/60 detections as of today)

DMG file that uses a likely AI generated Shell Script as entry point

Shell Script drops a Mach-O universal binary for x86 and ARM architecture

Executable decodes Atomic Stealer’s AppleScript (osascript) with a custom base64 alphabet

Sandbox evasion via checking known usernames: maria, run, jackiemac, bruno

User’s password is collected via AppleScript by simply asking the user for it

DMG → Shell Script → Mach-O Binary → AppleScript → Atomic Stealer

Dive deeper into the report

Sample SHA256:

8f850c8a9e1c24f6bf1fead7f19fe472d8f57871e02aef9da94366474b9f47ef

Threat identifiers

See why we think this is malicious in plain language.

See the whole path of the sample’s execution

MITRE ATT&CK Matrix

Map the malicious activities on the MITRE ATT&CK Framework

Network connections

Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams

Pre-filtered IOCs

Download the IOCs and artifacts to have a clear picture of the threat.

Download the files that the malware downloads, drops or modifies.

Explore how you can use these insights

Incident
Response

Threat Intelligence
Generation