Prior to 2023, commodity information stealers targeting macOS remained a niche activity rarely found advertised in cybercrime communities. The March 2023 release of COOKIE SPIDER’s Atomic macOS Stealer (aka AMOS) sparked rapid adoption among Russian-speaking “traffer” groups and, subsequently, the rise of many competitor stealer projects that continue to proliferate to this day.

This talk will trace the origins of AMOS and its main operator, COOKIE SPIDER, as well as profile its major competitors, touching on similarities and differences between each malware family, their customers, and novel distribution methods and trends. We will also showcase the use of crypto analysis to map relationships between stealer vendors, their customers, and their infrastructure.

The presentation will also highlight the ecosystem in which macOS malware vendors and users exist including the monetization of their infections via cryptocurrency theft, sale of logs, and the emergence of some of the first Pay-Per-Install (PPI) services leveraging macOS infections. We will also conclude our talk with a look at recent and future trends in commodity macOS malware development.