Nov 22, 2023NewsroomSEO poisoning / Malware Analysis

The macOS information stealer known as Atomic is now being delivered to target via a bogus web browser update chain tracked as ClearFake.

“This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system,” Malwarebytes’ Jérôme Segura said in a Tuesday analysis.

Atomic Stealer (aka AMOS), first documented in April 2023, is a commercial stealer malware family that’s sold on a subscription basis for $1,000 per month. It comes with capabilities to siphon data from web browsers and cryptocurrency wallets.


Then in September 2023, Malwarebytes detailed an Atomic Stealer campaign that took advantage of malicious Google ads, tricking macOS users searching for a financial charting platform known as TradingView into downloading the malware.

ClearFake, on the other hand, is a nascent malware distribution operation that employs compromised WordPress sites to serve fraudulent web browser update notices in hopes of deploying stealers and other malware.

It’s the latest addition to a larger pool of threat actors such as TA569 (aka SocGholish), RogueRaticate (FakeSG), ZPHP (SmartApeSG), and EtherHiding that are known to use themes related to fake browser updates for this purpose.

Atomic Stealer

As of November 2023, the ClearFake campaign has been expanded to target macOS systems with a near-identical infection chain, leveraging hacked websites to deliver Atomic Stealer in the form of a DMG file.

The development is a sign that stealer malware continues to rely on fake or poisoned installer files for legitimate software via malicious advertisements, search engine redirects to malicious websites, drive-by downloads, phishing, and SEO poisoning for propagation.

“The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments,” Segura said.

Lumma Stealer Claims to Find a Way to Extract Persistent Google Cookies

The disclosure also follows updates to the LummaC2 stealer that utilizes a novel trigonometry-based anti-sandbox technique that forces the malware to wait until “human” behavior is detected in the infected machine.


The operators of the malware have also been promoting a new feature that they claim can be used to gather Google Account cookies from compromised computers that will not expire or get revoked even if the owner changes the password.

“This will result in a major shift in the cybercrime world, enabling hackers to infiltrate even more accounts and perform significant attacks,” Alon Gal, co-founder and CTO at Hudson Rock, said in a set of posts on LinkedIn.

“The bottom line is that these cookies seem more persistent and could lead to an influx of Google services used by people being hacked, and if the claim that a password change doesn’t invalidate the session is true, we’re looking at much bigger problems.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.