Infostealers like Atomic MacOS Stealer (AMOS) represent far more than a standalone malware. They are foundational components of a mature cybercrime economy built around harvesting, trading, and operationalizing stolen digital identities.
Rather than acting as the end goal, modern stealers function as large-scale data collection engines that feed underground markets, where stolen credentials, sessions, and financial data are bought and sold to fuel account takeovers, fraud, and follow-on intrusions.
What makes these campaigns particularly effective is their highly opportunistic social engineering approach: attackers continuously adapt to technology trends, abusing trusted platforms, popular software, search engines, and even emerging AI ecosystems to trick users into executing malware themselves.
This combination of industrialized data monetization and adaptive social engineering has made infostealers one of the most reliable and scalable entry points in today’s cybercrime landscape.
In the new 2026 Enterprise Infostealer Identity Exposure report, Flare researchers highlight the growing dominance of infostealers within the cybercrime economy and the expanding impact of identity exposure on organizations.
In this article, we examine the AMOS infostealer as a case study, exploring its evolution, operational model, and real-world activity across its active years.
How Do Infostealers Work?
Infostealers operate as one of the most critical enablers in the modern cybercrime kill chain because they transform a single infection into large-scale credential, session, and identity compromise.
In general, once executed on a victim machine, an infostealer rapidly enumerates browsers, system credential stores, crypto wallets, messaging apps, and local files, extracting authentication data, session cookies, and sensitive documents before exfiltrating them to attacker-controlled infrastructure.
ClawHavoc - The Most Recent Campaign
... continue reading