Credential Stealer “Atomic” Targeting Mac Users Via Fake Software Ads
A sophisticated online campaign is leveraging search engine advertising to distribute potent malware capable of stealing sensitive login credentials from Mac computers. Security researchers have identified a widespread effort using Search Engine Optimization (SEO) tactics to place fraudulent ads for popular software – including LastPass – at teh top of search results on Google and Bing.
LastPass alerted users late last week to the campaign, which directs victims to fake GitHub pages disguised as legitimate download sources for macOS applications. these pages, now taken down, deliver either “Atomic Stealer” or “Amos Stealer,” malware specifically designed to harvest usernames, passwords, and other credentials stored on infected machines.
“We are writing this blog post to raise awareness of the campaign and protect our customers while we continue to actively pursue takedown and disruption efforts, and to also share indicators of compromise (IoCs) to help other security teams detect cyber threats,” LastPass stated in a blog post detailing the threat.
The attack isn’t limited to LastPass. Compromise indicators released by LastPass reveal a broad targeting scope, with attackers also impersonating 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird, and TweetDeck. The fraudulent ads typically feature the software’s name in large, prominent fonts to attract clicks.
Once clicked, the ads redirect users to GitHub pages hosting malicious versions of Atomic Stealer, disguised as the official software. This method allows attackers to bypass customary security measures and deliver the credential stealer directly to unsuspecting users.
This campaign highlights a growing trend of attackers exploiting the trust associated with well-known brands and utilizing SEO poisoning to distribute malware. Mac users are advised to exercise extreme caution when downloading software, verifying the source and ensuring it matches the official website before installation. Security professionals are encouraged to review the Indicators of compromise (IoCs) provided by LastPass to bolster their threat detection capabilities.
