ClickCease Malvertising On Mac: Atomic Stealer Endangers Mac Users

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Malvertising On Mac: Atomic Stealer Endangers Mac Users

Wajahat Raja

September 19, 2023 - TuxCare expert team

A worrying malvertising On Mac campaign has just appeared, propagating an improved variation of the infamous macOS stealer malware known as Atomic Stealer, or simply AMOS. The active maintenance and development of these malware attacks on macOS is concerning, implying that its developers continue to enhance its powers.    


The Emergence of Atomic Stealer


Atomic Stealer malware, first discovered in April 2023, is a commercially available Golang-based malware that can be bought for $1,000 per month. It first appeared as a threat primarily targeting Mac OS users, with a specific emphasis on Bitcoin holdings. This sophisticated virus has a wide range of features, including the capacity to extract passwords from web browsers and Apple’s keychain, as well as the ability to steal files from affected PCs.


The developer of AMOS has demonstrated a commitment to furthering this evil project, with a new version released at the end of June. This freshly created macOS payload is cleverly wrapped within an unsigned application, increasing Mac cybersecurity risks. Once executed, naive users are invited to enter their password, oblivious to the fact that this seemingly harmless prompt masks a dark objective – the theft of files and sensitive data stored in iCloud Keychain and online browsers.


Those who purchase this toolkit for illicit reasons have used a variety of distribution routes, the most common of which is cracked software downloads. They have, however, resorted to replicating respectable websites and using fraudulent adverts on big search engines such as Google to lure skeptical individuals into their traps.


Malvertising On Mac: The Unsettling Distribution Tactics 


The latest campaign begins with the development of a fake TradingView website that cleverly displays three prominent download buttons for Windows, macOS, and Linux operating systems. When people want to download new software, they naturally turn to search engines like Google. Threat actors have taken advantage of this behavior by purchasing advertising that seems like well-known businesses and referring people to their phony sites, which are cleverly disguised as genuine pages. So, malware removal on Mac has become a grave issue due to the rise in these cybersecurity weaknesses

To make matters even more complicated, the TradingView ad (tradıņgsvıews[.]com) uses special unicode characters “trad\u0131\u0146gsv\u0131ews[.]com” to impersonate the authentic domain, thereby evading detection by Google’s ad quality checks. It is worth mentioning that Google’s Ads Transparency Centre discloses an advertiser’s account belonging to a person from Belarus, who was most likely a victim of a compromised ad account exploited by the attacker.


The Malicious Payload


When people click the ad, they are redirected to a phishing page hosted at trabingviews[.]com that is meant to look like an actual TradingView page. It includes download links for Windows, Mac, and Linux.

The downloaded file, TradingView.dmg,” includes instructions for bypassing GateKeeper and avoiding the need to copy it into the Mac’s Apps folder. Instead, it is mounted and executed directly. The virus hidden within this ad-hoc signed program does not have Apple certification, making it resistant to certificate revocation. When executed, it begins a never-ending loop of prompting the user for their password until, inevitably, they fall victim and enter it.

With this atomic stealer spreading, its major goal is to quickly execute its program, stealing data from victims and quickly exfiltrating it to their own server. Notably, the effectiveness of any infostealer operation is dependent on the reliability of the backend server used, and AMOS engineers explicitly urge using a “bulletproof” server.


Protecting Against Malvertising Dangers


Malvertising is still an effective method of luring unsuspecting victims by taking advantage of confidence in search engines. The combination of harmful advertisements and cleverly constructed phishing pages creates a serious threat capable of fooling virtually anyone.

Although Mac security threats are less common than Windows malware, AMOS’s makers have publicly promoted its ability to avoid detection as a selling factor. As a result, protecting Mac from malvertising has become extremely crucial. Proceeding with caution before opening any new program should be the first thing to consider. Users should double-check the source’s trustworthiness, especially if they initially clicked on an ad to download an app. It is critical to validate the website’s authenticity and ensure it is not a counterfeit clone.

It is worth noting that Malwarebytes recognizes this malicious malware as OSX.AtomStealer. Malware prevention for Mac can be prioritized by using an antivirus solution with real-time protection against threats like AMOS. This preventive method can keep viruses out of the system, protecting sensitive data from theft.




The return of Atomic Stealer malware via malvertising operations highlights the importance of Mac user safety in the ever-changing spectrum of cyber threats. Users can strengthen their defenses against the growing threat of AMOS and similar issues on varying operating systems. This can be achieved by staying aware, exercising caution, and implementing solid security measures, ensuring their digital well-being and data remain protected.


The sources for this piece include articles in Malwarebytes and The Hacker News

Malvertising On Mac: Atomic Stealer Endangers Mac Users
Article Name
Malvertising On Mac: Atomic Stealer Endangers Mac Users
Stay protected from 'Malvertising on Mac' as Atomic Stealer spreads. Learn how to safeguard your Mac against this emerging threat. Act now!
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter