A new malware campaign has been identified, targeting macOS users through deceptive Google ads. These ads promote a fake version of the Arc browser, an unconventional browser that recently became available for macOS. The fake site, arc-download[.]com, looks almost identical to the legitimate one, tricking users into downloading a malicious .dmg file.
The installation process involves a right-click method to bypass macOS security, allowing the malware to be installed without being flagged. Once installed, the malware sends stolen data to an IP address linked to the Poseidon stealer, a tool sold in criminal markets. Poseidon can extract files, cryptocurrency wallets, passwords from managers like Bitwarden and KeePassXC, and browser data.
This malware is part of a growing market for Mac-specific stealers, with Poseidon being a notable competitor to Atomic Stealer. Both share much of the same underlying code, and recent updates to Poseidon include attempts to steal VPN configurations, although this feature is still in development. The malware’s developers promote its low detection rates by antivirus software, appealing to cybercriminals.
Google Ads has been a recurring platform for distributing such malware, with similar campaigns previously pushing a fake Arc version for Windows. Google removes malicious ads once notified but does not take responsibility for any resulting damage. Users are advised to download software only from official websites and to be cautious of any instructions that involve bypassing standard security measures.
Reference:
