{
	"id": "dc79c578-f2d0-4c55-ad12-e9b417b60cd4",
	"created_at": "2026-04-06T00:07:09.801335Z",
	"updated_at": "2026-04-10T03:22:05.430942Z",
	"deleted_at": null,
	"sha1_hash": "072fcd8713ec672d95da06f9d9fc093ccdc58c84",
	"title": "Mac users targeted in new malvertising campaign delivering Atomic Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 750240,
	"plain_text": "Mac users targeted in new malvertising campaign delivering\r\nAtomic Stealer\r\nBy Jérôme Segura\r\nPublished: 2023-09-06 · Archived: 2026-04-05 16:48:56 UTC\r\nSummary\r\nMalicious ads for Google searches are targeting Mac users\r\nPhishing sites trick victims into downloading what they believe is the app they want\r\nThe malware is bundled in an ad-hoc signed app so it cannot be revoked by Apple\r\nThe payload is a new version of the recent Atomic Stealer for OSX\r\nIntroduction\r\nThe majority of the malvertising campaigns we have tracked for the past few months have targeted Windows\r\nusers. That’s not surprising considering that Microsoft holds the largest market share for both desktop and laptop\r\ncomputers.\r\nHowever, we recently captured a campaign that was pushing both Windows and Mac malware, the latter being an\r\nupdated version of the new but popular Atomic Stealer (AMOS) for Mac.\r\nAMOS was first advertised in April 2023 as a stealer for Mac OS with a strong focus on crypto assets, capable of\r\nharvesting passwords from browsers and Apple’s keychain, as well as featuring a file grabber. The developer has\r\nbeen actively working on the project, releasing a new version at the end of June.\r\nCriminals who buy the toolkit have been distributing it mostly via cracked software downloads but are also\r\nimpersonating legitimate websites and using ads on search engines such as Google to lure victims in. In this blog\r\npost, we will provide details on one campaign targeting TradingView, a popular platform and app to track financial\r\nmarkets.\r\nDistribution\r\nUsers looking to download a new program will naturally turn to Google and run a search. Threat actors are buying\r\nads matching well-known brands and tricking victims into visiting their site as if it were the official page.\r\nThe ad below for TradingView uses special font characters (tradıņgsvıews[.]com is embedded with unicode\r\ncharacters: trad\\u0131\\u0146gsv\\u0131ews[.]com) perhaps as an attempt to appear like the real domain and evade\r\ndetection from Google’s ad quality checks:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising\r\nPage 1 of 7\n\nGoogle’s Ads Transparency Center page shows this advertiser account belongs to someone from Belarus. This is\r\nlikely a compromised ad account that is being used by the threat actors.\r\nWhen the user clicks on the ad they are redirected to a phishing page hosted at trabingviews[.]com:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising\r\nPage 2 of 7\n\nPhishing page\r\nThe decoy site (trabingviews[.]com) looks quite authentic and shows three download buttons: one each for\r\nWindows, Mac and Linux. One way to detect a potential phishing site is by checking when it was created, which\r\nin this case was only a few days ago.\r\nBoth the Windows and Linux buttons point to an MSIX installer hosted on Discord that drops NetSupport RAT:\r\nhttps://cdn[.]discordapp[.]com/attachments/1062068770551631992/1146489462025629766/TradingView-x64[.]msix\r\nThe Mac download is hosted at:\r\nhttps://app-downloads[.]org/tview.php\r\nPayload\r\nThe downloaded file (TradingView.dmg) comes with instructions on how to open it in order to bypass GateKeeper.\r\nUnlike regular apps, it does not need to be copied into the Mac’s Apps folder but is simply mounted and executed.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising\r\nPage 3 of 7\n\nThe malware is bundled in an ad-hoc signed app meaning it’s not an Apple certificate, so it cannot be revoked.\r\nOnce executed, it will keep prompting for the user password in a never ending loop until victims finally relent and\r\ntype it in.\r\nThe attacker’s goal is to simply run their program and steal data from victims and then immediately exfiltrate it\r\nback to their own server. The image below shows the kind of data that can be collected:\r\nA critical part of any infostealer operation is the back end server that will receive the stolen data. AMOS\r\ndevelopers are advising their customers to use a bulletproof server such as the one below:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising\r\nPage 4 of 7\n\nProtection\r\nMalvertising continues to be an effective vector to target new victims by abusing the trust they have in their search\r\nengines. Malicious ads coupled with professional-looking phishing pages make for a potent combo that can trick\r\njust about anyone.\r\nWhile Mac malware really does exist, it tends to be less detected than its Windows counterpart. The developer or\r\nseller for AMOS actually made it a selling point that their toolkit is capable of evading detection.\r\nBefore running any new program, make sure to double check its origins. If you clicked on an ad to download a\r\nnew application, you may want to go back and revisit the official website directly, or at least spend some time\r\nverifying that the current website really is the right one, and not a fake.\r\nWith stealers such as AMOS, it’s also important to run an antivirus that has real time protection so that it blocks\r\nthe malware before valuable data gets stolen.\r\nMalwarebytes detects this malware as OSX.AtomStealer.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising\r\nPage 5 of 7\n\nIndicators of Compromise\r\nAd domain:\r\nxn--tradgsvews-0ubd3y[.]com\r\nPhishing domain:\r\ntrabingviews[.]com\r\nAMOS installer download:\r\napp-downloads[.]org/tview.php\r\nAMOS installer (dmg):\r\n6b0bde56810f7c0295d57c41ffa746544a5370cedbe514e874cf2cd04582f4b0\r\nAMOS malware:\r\nce3c57e6c025911a916a61a716ff32f2699f3e3a84eb0ebbe892a5d4b8fb9c7a\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising\r\nPage 6 of 7\n\nAMOS C2:\r\n185.106.93[.]154\r\nMalwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want\r\nto learn more about how we can help protect your business? Get a free trial below.\r\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising"
	],
	"report_names": [
		"atomic-macos-stealer-delivered-via-malvertising"
	],
	"threat_actors": [],
	"ts_created_at": 1775434029,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/072fcd8713ec672d95da06f9d9fc093ccdc58c84.pdf",
		"text": "https://archive.orkl.eu/072fcd8713ec672d95da06f9d9fc093ccdc58c84.txt",
		"img": "https://archive.orkl.eu/072fcd8713ec672d95da06f9d9fc093ccdc58c84.jpg"
	}
}