Malicious Ad Campaigns Targeting macOS Users with Atomic Stealer and Realst Malware

A recent report from Jamf Threat Labs has unveiled a concerning trend of infostealer attacks targeting Apple macOS users. These attacks, facilitated through malicious ads and fake websites, aim to compromise victims’ systems and steal sensitive data.

READ: Kristin Cavallari Spills the Tea on Her Hottest Hookup – Prepare for a Surprise!

MacOS

One attack chain identified by security researchers involves users searching for Arc Browser on popular search engines like Google. Bogus ads lead users to counterfeit websites (“airci[.]net”) that host malware. Interestingly, direct access to these malicious sites is restricted, requiring users to click on sponsored links to evade detection.

The downloaded disk image file (“ArcSetup.dmg”) from these sites contains Atomic Stealer malware. Upon execution, Atomic Stealer prompts users to enter their system passwords via a fake prompt, ultimately facilitating data theft.

Another deceptive website, meethub[.]gg, claims to offer free group meeting scheduling software but actually installs a different stealer malware capable of harvesting sensitive data. This malware, believed to be related to the Realst stealer family, also prompts users for their macOS login passwords using AppleScript calls.

These attacks often masquerade as job opportunities or podcast interviews to lure victims into downloading malicious applications from meethub[.]gg. Cryptocurrency industry professionals are particularly targeted due to the potential for large payouts for attackers.

In a separate discovery, Moonlock Lab, a cybersecurity division of MacPaw, revealed the use of malicious DMG files (“App_v1.0.4.dmg”) to deploy a stealer malware variant. This malware extracts credentials and data from various applications using obfuscated AppleScript and bash payloads retrieved from a Russian IP address.

These findings underscore the increasing threat macOS environments face from stealer attacks. Some strains employ sophisticated anti-virtualization techniques, including self-destructing kill switches, to evade detection.

Recent malvertising campaigns have also been observed distributing malware loaders like FakeBat (aka EugenLoader) and information stealers such as Rhadamanthys through decoy sites for popular software like Notion and PuTTY.