Malicious ads and fake websites are being used to distribute two different stealer malware, including Atomic Stealer, to target Apple macOS users.
According to a report published by Jamf Threat Labs on Friday, the ongoing attacks by infostealers targeting macOS users have employed various methods to compromise Macs, all with the goal of stealing sensitive data.
One attack chain targets users searching for Arc Browser on search engines like Google, redirecting them to fake sites (“airci[.]net”) that distribute the malware through bogus ads.
The malicious website linked to this scam can only be accessed through a generated sponsored link to avoid detection.
The counterfeit website downloads a disk image file called “ArcSetup.dmg,” which contains Atomic Stealer. This malware tricks users into entering their system passwords through a fake prompt and then steals their information.
Jamf also identified another fake website, meethub[.]gg, which claims to provide free group meeting scheduling software but actually installs a malware that harvests keychain data, web browser credentials, and cryptocurrency wallet information.
This malware, similar to Atomic Stealer, prompts users for their macOS login password using an AppleScript call to carry out its malicious activities. It is related to the Rust-based stealer family Realst.
These attacks often target individuals in the cryptocurrency industry, offering job opportunities or podcast interviews and asking them to download an app from meethub[.]gg for a video conference.
Recent reports from MacPaw’s Moonlock Lab reveal that threat actors are using malicious DMG files (“App_v1.0.4.dmg”) to deploy a stealer malware that extracts credentials and data from various applications by launching deceptive prompts that trick users into providing system passwords.
These incidents highlight the increasing threat of stealer attacks on macOS systems, with some malware strains employing sophisticated anti-virtualization techniques to evade detection.
Recent malvertising campaigns have also been observed distributing the FakeBat loader and other information stealers like Rhadamanthys via a Go-based loader through fake sites for popular software such as Notion and PuTTY.