user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:MacOS/AtomicSteal.D
Trojan:MacOS/AtomicSteal.D - Windows Defender threat signature analysis

Trojan:MacOS/AtomicSteal.D - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:MacOS/AtomicSteal.D
Classification:
Type:Trojan
Platform:MacOS
Family:AtomicSteal
Detection Type:Concrete
Known malware family with identified signatures
Variant:D
Specific signature variant within the malware family
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for macOS platform, family AtomicSteal

Summary:

Trojan:MacOS/AtomicSteal.D is a critical macOS information stealer that targets a wide range of sensitive data. It exfiltrates browser login credentials, cookies, autofill data, cryptocurrency wallet information (e.g., Exodus, Electrum), and macOS keychain passwords, indicating a comprehensive attack on user privacy and financial assets.

Severity:
Critical
VDM Static Detection:
No specific strings found for this threat
YARA Rule:
rule Trojan_MacOS_AtomicSteal_D_2147900430_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:MacOS/AtomicSteal.D"
        threat_id = "2147900430"
        type = "Trojan"
        platform = "MacOS: "
        family = "AtomicSteal"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_MACHOHSTR_EXT"
        threshold = "5"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {43 68 72 6f 6d 69 75 6d 2f 00 2f 43 6f 6f 6b 69 65 73 00 4c 6f 67 69 6e 20 44 61 74 61 00 2f 50 61 73 73 77 6f 72 64 00 57 65 62 20 44 61 74 61 00 2f 41 75 74 6f 66 69 6c 6c}  //weight: 1, accuracy: High
        $x_1_2 = {2f 57 61 6c 6c 65 74 73 2f 00 5f 00 45 78 6f 64 75 73 00 45 6c 65 63 74 72 75 6d 00 43 6f 69 6e 6f 6d 69 00 47 75 61 72 64 61 00 57 61 73 61 62 69}  //weight: 1, accuracy: High
        $x_1_3 = {73 79 73 74 65 6d 5f 70 72 6f 66 69 6c 65 72 20 53 50 44 69 73 70 6c 61 79 73 44 61 74 61 54 79 70 65 00 73 77 5f 76 65 72 73}  //weight: 1, accuracy: High
        $x_1_4 = "dscl /Local/Default -authonly" ascii //weight: 1
        $x_1_5 = "/Library/Keychains/login.keychain-db" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
0d27ed5e991a507e7f8e21c6096c16eb2b94ac9d5ec6bc6988067370394041dc
22/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected macOS device. Perform a full system scan with updated antivirus software and remove all detected threats. Change all critical passwords (e.g., email, banking, cryptocurrency, online services) and enable Multi-Factor Authentication (MFA) on all accounts. Monitor financial and cryptocurrency accounts for any suspicious activity. Consider a clean reinstallation of macOS and restore from a trusted, known-good backup.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 22/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$