Researchers at Malwarebytes have discovered a new malvertising campaign targeting Mac users with an updated version of the macOS stealer known as Atomic Stealer [5]. This campaign highlights the increasing vulnerability of macOS to malware attacks [3] [4].


The new vector of attack for the macOS malware known as Atomic macOS Stealer (AMOS) has been discovered [1]. This malware is being delivered through a Google ad scheme [1], with the ads appearing as legitimate and paid for [1]. The attackers create near-perfect clones of websites or software that users are searching for [1], tricking them into downloading the malware [1]. Once installed, AMOS collects sensitive data such as passwords [1], crypto [1] [2], and files [1]. It does not need to go through the normal installation process and instead prompts users to enter their system password [1]. The harvested data is then sent to the malware operator [1].

It is worth noting that Atomic Stealer is not the only malware propagated via malvertising and search engine optimization campaigns [3] [4]. Evidence of DarkGate latching onto the same delivery mechanism has emerged [3] [4]. Criminals distribute the updated version of Atomic Stealer through cracked software downloads and by impersonating legitimate websites and using ads on search engines [2]. One specific campaign targeted TradingView [2], a popular platform for tracking financial markets [2]. The Atomic Stealer first emerged in April 2023 [5], and this malvertising campaign serves as a reminder of the ongoing threat it poses to Mac users. Users must remain vigilant in protecting their devices [5].


This discovery highlights the need for increased vigilance and protection against malware attacks on macOS. The use of malvertising and search engine optimization campaigns as delivery mechanisms for malware is a growing concern. Users should be cautious when downloading software or visiting websites, especially those that appear as clones of legitimate ones. It is crucial to regularly update security software and remain aware of the ongoing threats in order to safeguard personal data and devices.