Atomic Stealer Malware Is Using A Devious Ploy To Infect Mac Systems

A malware campaign originally targeting Microsoft Windows that began in July of this year is now taking aim at Apple’s macOS. Cybersecurity Researcher Ankit Anubhav shared on the Infosec Exchange instance on Mastodon that it got an update that will now push a DMG file payload when it detects an Apple user browsing with Safari.

This malware campaign, dubbed ClearFake, involves a threat actor placing malicious JavaScript code on compromised websites. A user will see a prompt telling them that their web browser is in need of an update and will display a download button, which will download the malware to the user’s system. A user would then run the program believing they were installing a legitimate software update.

Mac users are being infected with Atomic Stealer, also known as AMOS. It’s a popular piece of malware used by threat actors looking to steal files and passwords from victims running macOS. Malware Bytes states that “With a growing list of compromised sites at their disposal, the threat actors are able to reach out a wider audience, stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.”


This new twist comes from an earlier update to the campaign where the malicious code would be delivered using Binance’s Smart Chain contracts. According to Guardio Labs, “This is what we see here in this attack — malicious code is hosted and served in a manner that can’t be blocked. Unlike hosting it on a Cloudflare Worker service as was mitigated on the earlier variant. Truly, it is a double-edged sword in decentralized tech.” This technique is referred to as ““EtherHiding.”

Unfortunately, this campaign is becoming more complex and targeting more systems, so users of both Windows and macOS need to be more alert of where they’re getting software downloads.