ClearFake malware campaign targets Mac users via fake browser updates

ClearFake malware campaign targets Mac users via fake browser updates

A new malware campaign has been observed that is delivering the macOS information stealer known as Atomic Stealer aka AMOS through a fake browser update chain tracked as “ClearFake”.

First discovered in August, the ClearFake social engineering campaign has gone through several upgrades, including the use of smart contracts to build its redirect mechanism. In September, researchers observed the campaign delivering Atomic Stealer via malicious ads.

“This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system,” Malwarebytes’ threat analyst Jérôme Segura noted in a blog post.

In the most recent campaign, clicking on a malicious link in phishing emails or on social media posts leads unsuspecting Mac users to a webpage impersonating Apple’s official download portal for Safari or a fake portal for Google’s browser.

Upon clicking on the “Download” button, a DMG file claiming to be a browser update is downloaded onto the machine. Victims are instructed on how to open the file which immediately runs commands after prompting for the administrative password.

Once the password is entered, Atomic Stealer gains full access to the victim’s Mac. It then proceeds to collect browsing data, cookies, passwords, credit card numbers and other sensitive data and sends it back to the threat actors behind ClearFake.

“Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way. The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments.

Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it,” Malwarebytes said.


Back to the list

Latest Posts

Russian hackers target Microsoft accounts with ‘Device code’ phishing attacks

Russian hackers target Microsoft accounts with ‘Device code’ phishing attacks

The Russian threat actors leveraged social engineering techniques to impersonate individuals from prominent institutions.
17 February 2025
Cyber Security Week in Review: February 14, 2025

Cyber Security Week in Review: February 14, 2025

In brief: Microsoft patches actively exploited zero-days, Chinese hackers Salt Typhoon exploit Cisco flaws, the US and partners sanction Zservers, and more.
14 February 2025
Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging bugs in widely used IT infrastructure software.
13 February 2025