An updated version of Atomic macOS Stealer (AMOS) has been discovered in a new malvertising operation that targets users of the Google search engine who are looking for software. Malwarebytes claims that the malware started appearing on Telegram in April. At the end of June, the malware’s creators issued a new version.
The most recent iteration of the malware, identified as OSX.AtomStealer, is disseminated through cracked versions of the TradingView app, a platform for following financial markets. At the top of the Google search results, users looking for this software are presented with advertisements hacked by threat actors. Some of these advertisements were identified to imitate the real domain and avoid Google’s ad quality checks by employing Unicode characters.