The journey into Mac OS infostealers

g0njxa
16 min readSep 17, 2024

--

In the past weeks I interviewed some of the Mac OS malware operators that are most known in the wild. Mac OS infostealers are still a trend and a to-be-known thing that I started investigating thanks to the honest words of the people around these products, this couldn’t be possible without the insights of the people involved in this history that I started telling in the interviews. I’m aware some big companies are referencing my interviews for their work because it seems there’s not a lot of information on this matter, and before the history I started telling disrupts the reality of what happened, I want to try to set up a timeline of the events with the most accurate information available during my research and thanks to the sources I have been listening to these months. Here is the most accurate to many sources timeline of how Mac OS infostealers were born and all the drama involved explained.

Important terms to be known before reading:
- 0xFFF
aka Alhimik (developer of 0xFFF stealer)
He reappeared after months missing after the exit scam, reachable
- ping3r (developer of AMOS stealer, owner of coockie.pro forum)
He is active and reachable
AMOS (Atomic Mac Os Stealer, an upgraded fork of 0xFFF stealer)

Interview: Approaching stealers devs : a brief interview with AMOS | by g0njxa | Aug, 2024 | Medium
- Rodrigo (developer of Poseidon stealer, ex-coder of AMOS, ex-coder of Titan Stealer)
He disappeared from the Internet clean after selling the source code of Poseidon, willing to change “the black hat life to become white hat”
Poseidon Stealer (A poor modified fork of AMOS Stealer)

Interview: Approaching stealers devs : a brief interview with Poseidon | by g0njxa | Jul, 2024 | Medium
- CTHULHU NFT Traffer Team (and his admin balaclavv aka “balaclava”)
This team used OxFFF stealer and then AMOS, active until March 2024. This team is believed to be behind the Cthulhu Stealer, a fork of AMOS.
Team is not operational for long months, admin is missing / not reachable

I maintained an honest contact with every individual I could, asking about events and contrasting all sides of the history to find a truth. This is my story:

Stage 1 (OxFFF Stealer)

December 2022 — January 2023

User 0xFFF starts a technical discussion on XSS forum about a very bad but functional Mac OS Stealer that he wrote. This stealer is known as 0xFFF Stealer, but in the first stages was also known as OSx Stealer

Translation from Russian:

So, I wrote a stealer for MacOS. It is embarrassing to even call the version raw, but the fact is that it already steals crypto, telegram and bypasses the apple firewall. Logs, as trivial as it may sound, knock on telegram, and if the file is larger than 50 MB it is uploaded to anonfiles (automatically). Without making a native panel, I have not come up with a better knock than telegram in such a short time, maybe soon I will start writing a panel.

This first Mac OS stealer is what ping3r referenced at the interview, a very poor designed malware “that was wrote using ChatGPT”.

What do you think about the other stealers that work on Mac OS? Are the other stealers a copy of AMOS?
As I mentioned earlier, I took the build from the person who made this software first. But he turned out to be a scammer. I can only say with confidence that this person wrote the virus using ChatGPT. The virus didn’t work fully and constantly had issues, which is why he scammed everyone, as at some point everything stopped working. […]

Asking 0xFFF about this claim, he says:

I just tried to find out where the pinger tells me that more than half of the code is made in ChatGPT (in AMOS)… but alas, the little idiot deleted the correspondence, apparently out of fear) In my code, GPT was used by 10–20%, and then because of my problems with syntax, it was just a text proofreader for me))

I wrote it myself when I was still on the train, I remember it well. I don’t know why this asshole is trying to blacken me, although he probably thinks that my new product will compete with AMOS. There won’t be such, pinger, don’t worry, my new product will throw your fuck out of the game

February — March 2023

The 0xFFF stealer gains popularity among the community, starting to being sold and used by clients, both individuals and traffer teams.

Translation from Russian:

“For each client, the build will be a dmg installer, familiar to macOS users. About detection: Little snitch and Gate keeper do not mark the build in any way. To activate the program, the victim only needs to open it via the right mouse button, or allow it in the settings. This is a completely normal procedure for macOS users to download a file from the Internet, and it doesn’t affect the user experience one bit. For now, everything is merged into Telegram, but if the weight is over 50 megabytes, the logs are uploaded to anonfiles, after which the stealer operator gets a link to Telegram”

0xFFF shared some screenshots of how otstuk records looked:

We can also found real examples of this records on the Cthulhu NFT Team:

He looked for beta testers on the XSS forum:

I am looking for a person who is ready for a ridiculous $150 to get a lifetime subscription to a stealer for MacOS. All you have to do is report issues/bugs if found, and a normal source of traffic. I will install the server and add logs to the bot.

Then this amount will be changed to $400.

Some early reviews: (Translated from Russian)

I took a test from this seller, it’s nice to work with a person! Clear, responsive, knows how to not only explain everything clearly, but also listen and, what is important, hear!

Pros:

The TS is adequate in communication, knows what he is talking about

All the nuances that may arise were immediately said before payment, and not before receiving money, as some practice…

The software knocks quite quickly, collects recursively without default specified paths — this is good.

Cons:

I didn’t particularly notice, but there are shortcomings such as the lack of an autobuilder, and knocking in the cart (there is no panel). But the TS says he is already coding the panel.

Remember that 0xFFF was exposing his product under a technical discussion thread on the forum, and when he started selling and advertising his products to clients, this matter took the attention of the XSS administration, asking him to open a sales thread and make a deposit on the forum to gain reliability among users.

At this time, Apple was aware of the malware and started detecting it

0xFFF also decided to change his pricing policy, from $150 lifetime on beta testers to $4000 per month to regular users, allegedly paying back the first amount to beta testers and refusing their subscription to the stealer until they pay the full amount. Some customers were mad on this action:

As I expected, the developer is refunding its first “small” customers (400$ lifetime bullshit) and will only sell to those who are willing to pay him thousands of dollars a month (4k+) to keep the license….
Even though this developer is not holding any money, it is simply because they he’s much likely running a ponzi scam. Releasing small payouts while bigger comes in his way…
I would categorically distrust this developer anymore, even if his builds were free… he is a completely incompetent person and cannot keep his word.
After paying, he goes to the casino with the customers’ money instead of giving away the product he wants to get paid for…..
He also creates fake telegram accounts to promote his new releases, and even more, till today, he uses this forum for free advertising without deposits…

0xFFF states:

Let me explain briefly: I changed my policy and am not going to serve a person for $150 lifetime, when the product costs $4,000+ per month. I made a full moneyback, it still fucks with my brain. So that you understand, I offered the moneyback myself, I did not do it reluctantly, but on the contrary. I will throw any proof to whoever needs it, the guy is a full clown.

On these days too,

0xFFF and ping3r started their first approach, and ping3r seemed interested in this first Mac OS stealer. Enough interested in the stealer to the point of making an advertisement agreement.

ping3r says: (english original text)

look at the history. 0xFFF(Alhimik) appears with a stealer for Mac, but a very bad and crooked one, which works every other time. but it works. I, as a forum admin, notice him and write him a proposal for cooperation. The proposal was like this — I advertise you, give you clients and you advertise me in your stealer. He was supposed to give me 50% of the profit from my clients. I gave him clients who paid him $8,000 per month […]

Translated from Russian:

He advertised me in his stealer, but I didn’t advertise him. He didn’t have a topic on my forum, because there was a condition — until he passes the check on other forums, I won’t allow him to sell on ours.

0xFFF started advertising Coockie.pro forum in his otstuk records

And after some days ping3r allowed 0xFFF to be on the forum, working through ping3r as guarantor.

Translated from Russian:

He throws the topic off WWH (where he still sells) and reviews from XSS, I personally tested his software and it worked, about 10 days ago. In his topic on my forum, I obliged everyone to work exclusively through me. […]

0xFFF announces his Mac OS Stealer on coockie.pro, a forum owned by ping3r

Translation from Russian:

Most likely, you have already heard on other forums about the release of 0xfff stealer for MacOS

Without long texts, a juicy project will be especially useful for the NFT team, for them we personally discuss the conditions, we work with such tops as: CTHULHU, Crazy Evil Team, there are reviews from authorities on the forums.

The stealer robs passwords from Chrome, all its crypto extensions (Metamask, Ronin, phantom, etc.), as well as cold wallets such as: Exodus, Electrum, Atomic

We work with popular forum guarantors (coockie pro, xss, etc.)

On these days, 0xFFF bragged to have sold at least 20 copies of his stealer, and of people that made over $130k on the Cthulhu NFT Traffer Team.

On one hand, 0xFFF is allegedly told by ping3r that he is being investigated by the Russian and Ukrainian authorities and he “panicked”.

Translation to english:

I receive a message from Pinger saying I’m in development, I started asking where the info is from and what’s going on, he said that it’s all because of the FSB and connections with special services. I started to fold up in a hurry, even changed my email to XSS.

He panicked to the point that he wrote down this on his channels

Some statements that the XSS community didn’t like, and was the object of a discussion. XSS administration says:

My personal opinion. The seller 0xfff’s statement is related to the unwillingness to make a deposit. Probably, the seller refuses the guarantor on the same basis. When it was possible to recruit clients on the forum without control, under the guise of a technical topic, without even opening the service, the forum was acceptable. As soon as it was necessary to open the service and make a deposit, exactly a few days later the forum became “pure FSB”.

On the other hand,

0xFFF was receiving a lot of pressure from users on the forum for the refuse to give lifetime subscription to users who paid him $400, also because prices raised to $9000 per month at the end of February.

Also is known that the stability and functionality of this stealer for Mac OS was not the best, but it worked. At this point, 0xFFF Stealer was operational and on public sales for a week.

0xFFF described me his product like this:

And so. 0xfff Stealer is a product developed by me, without partners and other coders. The full version was released on March 5, 2023, as far as I remember. Stealer performed all the necessary functions, cryptocurrency steal, Safari passwords + all Chromium based. I sold it on XSS and cookie pro (there was not a single sale of XD on the cookie). The most important thing about it was that it was very affordable, at the first stages you could buy a subscription for a month for $100)))). He worked perfectly

March 2023

At the first days of March, 0xFFF faked the sale of the source code of his stealer to balaclava (admin of CTHULHU Team) for a non-disclosed amount of “more than a million rubles”, deleted his Telegram account, cleared chats and disappeared from the Internet as 0xFFF.

balaclava states: (Translated from Russian)

We bougth the source code. The stealer itself is written in C++, TS is in touch with us, it will be refunded to those who had a subscription.
There will be no public sales, and it will be constantly updated

This sale was not announced to 0xFFF clients leaving them with a subscription to a dead malware that lasted few days. I found no evidence of refunds, but in fact, clients were affected by an exit scam.

Asking 0xFFF about this:

tell me about the source code sale to balaclava, i understand that you sold the source code to cthulhu team admin balaclava. Is that true?

No, it was show. When the pinger set me up, we and balaclava had to come up with it so that I could calmly leave

0xFFF states that he was really scared of the FSB and SBU threat told by ping3r, and decided to leave. In fact, he will later reappear as I will tell, saying he was stupid of doing that.

On the XSS forum, 0xFFF was banned for “defamation and disinformation about the forum”.

ping3r says:

[…] he did not pay me anything in the end, having deceived me. but his stealer stopped working 5 days after those whom I advised bought a stealer from him. after which he scams everyone because the stealer does not work. and all the victims write to me like you advertised — now return the money.

Remember that ping3r and 0xFFF alledgelly had an advertisement agreement that was disrupted by the actions of 0xFFF. Some clients of the stealer claimed ping3r the money back, thousands of dollars that were solved by the creation of AMOS.

0xFFF denies every word stated by Ping3r:

Hahahahahah fuckin asshole. 99% its lie
I wrote to him, not he… The styler worked flawlessly. God, he was standing at the NFT scam team, he withstood a huge traffic. Everything worked perfectly
He lied to you about everything, don’t doubt it

Stage 2 (AMOS Stealer)

ping3r states:

I give the build to the Titan stealer and he reverses it in 2 weeks. I open Amos. I give it to all people scammed by 0xFFF for free, because there were claims against me

The developer team behind the infamous Titan Stealer (a Windows Stealer which later will end into an exit scam and also disappearing from the Internet, rebranding into Aurora Stealer that also ended in a scam) was the responsible to reverse the 0xFFF build and write the firsts builds of Atomic Mac OS Stealer aka AMOS.

The name history, as ping3r said in the interview:

My first programmer, whom I assigned to create this, suggested the name Atomic. I initially thought it was a generic name and very similar to a cryptocurrency wallet. But after some thought, I decided to consider my programmer’s opinion and came up with Atomic Mac OS Stealer. If you take the capital letters, you get AMOS.

Year 2023

I think AMOS doesn’t need more introductions, it is well known to be a completely functional Mac OS stealer that has been around for many months.

As ping3r said, AMOS had 4 coders.

From the first and second one, he states: (original text)

he had access to my code. then he said that he got scared and disappeared for 3–4 months. then he showed up with the same code as me (since this is my code) and changed it a little. so he just worked with me and was my first coder. after leaving, he kept the source code for himself and became my competitor — this is rodrigo.

[…] When the titan who worked for me gave me the code, I found out that he was stealing money from clients. There was a script that checked certain wallets for the amount of money and if there was more than needed, these wallets did not go as logs to clients.

when titan the first coder left — I stayed with his friend. and worked with him. somewhere 2 months. then this friend also leaves me because he can not support anymore. (dog is also the current support of Poseidon) that is, he went to titan and they began to develop Poseidon. leaving my amos to fend for itself.

He is talking about Rodrigo, the developer of another Mac OS malware, Poseidon Stealer that appeared in September 2023, a fork of Atomic Stealer.

From the other coders, non-disclosed:

I find another coder and together we continue to support for 2 months. then stealer breaks again and this coder no longer knows the solution. I am already the 4th new coder. and now I have been with him since the new year. that is, since the new 2024 I have the 4th coder and am still with him

AMOS become the #1 Mac OS Stealer in the market for one main reason: it works under a reliable administration. It brought the solution to the issue that 0xFFF left, and operated almost like a monopoly in the Mac Os malware market.

Stage 3 (Poseidon Stealer and many others)

Poseidon Stealer from Rodrigo was the next Mac OS infostealer to be known on the market. A very similar fork of AMOS, so it could make sense what is told about it. Rodrigo had access to the AMOS beta code and developed his own stealer, with the same functionality. In fact, same malware different names.

On the interview, Rodrigo described Poseidon as:

#1 Mac OS Stealer on the market. The market is changing, Atomic (AMOS) is already in the past, all that is from it now is leftovers

Some other Mac OS infostealers appeared in the market such as Cthulhu Stealer, from balaclava and the same name team…

ping3r told me that Cthulhu was a client of him:

Ctulhu be my client, And this is my fork, but very bad fork

And this is true because it can be seen on otstuk records:

Another Mac OS stealer that surfaced the interest of researches is the known as Banshee Stealer, that is probably that has nothing to do with AMOS. ping3r didn’t pronounced about this people

Stage 4 (Current situation as of mid-2024)

Poseidon Stealer source code was sold to an unknown source and Rodrigo has disappeared.

AMOS is still operating as usual under ping3r administration

0xFFF reappeared on August 2024 under the moniker alh1mik, apologizing for his words towards XSS and willing to be unbanned from the forum.

Translated from Russian:

Hello, this is 0xfff, who is MacOS Stealer, I think you remember.

I want to open the curtain of secrecy now, I can finally do it and I hope for your understanding. As far as I remember, the reason I was banned on XSS is that I started talking about the forum’s cooperation with the FSB, and I supported it without a single proof, simply out of my stupidity and because of my trust in another person. This person is Pinger, at that time the owner of the cookie pro forum, currently just a shareholder as far as I know.

I receive a message from Pinger saying I’m in development, I started asking where the info is from and what’s going on, he said that it’s all because of the FSB and connections with special services. I started to fold up in a hurry, even changed my email to XSS. And emotionally I expressed all my indignation in the topic in which I said about your alleged connections with special services, as I already explained, I was stupidly fooled. This is evidenced by the fact that after a very short time, when I was roughly “merged”, I see that Pinger is opening the product “Atomic MacOS Stealer”))). I think you understand for what purpose all this was invented. To competently remove the main and essentially the only competitor.

My accusations against you were serious, but completely unfounded, for which I of course apologize, and in principle I am ready to do this in the form of cooperation with your forum on very good terms, if this of course interests you. Cookies made a copy of my stealer? I will now make it 10 times better, and this stealer will promote only your forum, and will be sold only through it. I will repeat myself again, of course, if this is interesting to you.

I really want to get unbanned and continue my activities. Your forum is the only one where I would be happy to do this. I hardly wrote everything I wanted, since some thoughts could fly out of my head. Now I will attach some screenshots of our recent correspondence with Pinger.

He promised a new Mac OS stealer, still in development. I asked him:

I can’t say for sure. I don’t do it actively like before. I burn with it until the fucking pinger shit everything on me. At least a month

Indeed alh1mik is known by ping3r, but also by Rodrigo, who left some words about him before disappearing:

he is sell drugs, do cis carding and many other idiot things

alh1mik is currently managing @chemistryus, mainly involved with “weed business”, nothing to do with malware.

Let’s see how events develop in the following months!

End

Expect more content, if possible
Best regards. :p

Special mention to my fellow friend and malware researcher Xiu (@osint_barbie) / X for her help and feedback on this article :3

2024 ~ @g0njxa

--

--