A new malvertising campaign is targeting Mac users by promoting a fake Microsoft Teams installer. The malicious ad, which appears as a top search result, leads users to download Atomic Stealer, a malware designed to steal sensitive information. Attackers have cleverly disguised the ad to appear legitimate, showing the Microsoft URL, while actually redirecting users through multiple malicious domains.
This campaign follows a similar trend seen with other fake installers for popular tools like Zoom, Webex, and Slack. Atomic Stealer takes advantage of users who bypass Apple’s built-in protections by asking them to grant access to their file system. Once installed, the malware collects keychain passwords and files, then exfiltrates the data through a remote server.
The attack chain was difficult to detect due to advanced filtering techniques used by the attackers. The malicious ad was paid for through a compromised Google ad account, and it initially redirected users to Microsoft’s actual website, making it harder to identify the threat. After numerous attempts, researchers uncovered the full malware delivery process and reported the ad to Google.
To mitigate such risks, experts recommend using browser protection tools to block ads and malicious websites. These tools can prevent users from being redirected through compromised networks or downloading fake installers. As cybercriminals continue ramping up distribution efforts, downloading software directly from trusted sources becomes increasingly important.