Atomic macOS Stealer: A New Wave of Malvertising Targeting Mac Users


Published on Sep 9, 2023   —   2 min read

The cybersecurity landscape is ever-evolving, and the recent discovery of a malvertising campaign targeting macOS users is a testament to this. The campaign delivers a new version of the Atomic Stealer malware, specifically designed for Mac OS. This blog post aims to dissect the campaign, its distribution methods, and the malware itself, while also offering preventive measures. The original report was published by Malwarebytes.

The Campaign

Targeting Both Windows and macOS

While malvertising campaigns have predominantly targeted Windows users, this new campaign aims at both Windows and macOS platforms. The macOS malware is an updated version of Atomic Stealer (AMOS), initially advertised in April 2023. AMOS focuses on stealing crypto assets, browser passwords, and Apple's keychain data.

Distribution Tactics

The threat actors employ a multi-pronged approach for distribution:

  1. Search Engine Ads: Ads matching well-known brands like TradingView are purchased to trick users into visiting phishing sites.
  2. Phishing Sites: These sites appear authentic and offer download buttons for Windows, Mac, and Linux.
  3. Social Engineering: The Mac download comes with instructions to bypass GateKeeper, Apple's security feature.

Technical Insights

The malware is ad-hoc signed, meaning it's not an Apple certificate and thus cannot be revoked. Once executed, it prompts the user for their password in a never-ending loop until the victim relents.

Security Implications

Evasion Techniques

The malware employs evasion techniques to bypass detection, making it a potent threat. It also uses bulletproof servers for data exfiltration, adding another layer of complexity to its operations.

Indicators of Compromise (IoCs)

  • Ad domain: xn--tradgsvews-0ubd3y[.]com
  • Phishing domain: trabingviews[.]com
  • AMOS C2: 185.106.93[.]154

Preventive Measures

  1. Verify Website Authenticity: Always double-check the URL and the SSL certificate of the website you're visiting.
  2. Use Real-Time Antivirus: Employ antivirus solutions with real-time protection.
  3. Be Skeptical of Ads: Be cautious when clicking on ads, especially those that lead to software downloads.


The Atomic macOS Stealer campaign is a stark reminder that no platform is entirely safe from cyber threats. The campaign's sophistication lies in its multi-vector attack strategy and its focus on macOS, a platform often considered more secure than its counterparts.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.