ClearFake Campaign Expands to Deliver Atomic Stealer to Mac Systems

Nov 22, 2023NewsroomSEO Toxicity / Malware Analysis

Atomic Stealer

The macOS information stealer known as Atomic is now being delivered to the target via a fake web browser update chain tracked as ClearFake.

“This may be the first time that we have seen one of the main social engineering campaigns, previously reserved for Windows, branching out not only in terms of geolocation but also operating system,” Malwarebytes’ Jérôme Segura SAYS in an analysis on Tuesday.

Atomic Stealer (aka AMOS), first documented in April 2023, is a commercial stealth malware family sold on a subscription basis for $1,000 per month. It has capabilities to siphon data from web browsers and cryptocurrency wallets.


After September 2023, Malwarebytes detailed an Atomic Stealer campaign that exploited malicious Google ads, tricking macOS users looking for a financial charting platform known as TradingView into downloading malware .

ClearFake, on the other hand, is a new malware distribution operation that uses compromised WordPress sites to serve up fraudulent web browser update notifications in the hopes that hackers and other malware can be deployed.

This is the latest addition to a larger group of threat actors such as TA569 (aka SocGholish), RogueRaticate (FakeSG), ZPHP (SmartApeSG), and EtherHiding that are known to use themes with related to fake browser updates for this purpose.

Atomic Stealer

In November 2023, the ClearFake campaign was expanded to target macOS systems with a nearly identical infection chain, using hacked websites to deliver Atomic Stealer in the form of a DMG file.

The increase is a sign that malware thieves continue to rely on fake or poisoned installer files for legitimate software through malicious ads, search engine redirects to malicious websites, download drives -by, phishing, and SEO poisoning for the spread.

“The popularity of thieves like AMOS makes it easy to adapt the payload to different victims, with little modification,” Segura said.

Lumma Stealer Claims to Find a Way to Get Persistent Google Cookies

The disclosure also follows updates to the LummaC2 stealer that uses a novel trigonometry-based anti-sandbox technique that forces the malware to wait until “human” behavior appears on the infected machine.


The malware operators are also promoting a new feature that they claim can be used to collect Google Account cookies from compromised computers that will not expire or be recovered even if the owner changes the password.

“This will result in a major change in the world of cybercrime, enabling hackers to infiltrate more accounts and carry out significant attacks,” said Alon Gal, co-founder and CTO of Hudson Rock. , said a set on posts on LinkedIn.

“The reason is that these cookies seem to be very persistent and can lead to an influx of Google services used by people who are hacked, and if the claim that a password change does not interfere session really, we looked at the bigger. problems.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment