This dangerous new Mac malware is being spread by Google Ads

News
By
published

AMOS is making rounds, spread by Google Ads

Hooded script kiddie taking laptop out of suitcase, prepared to launch DDoS attack. Close up shot of scammer at computer desk getting notebook from bag, starting work on malware script, camera B
(Image credit: Shutterstock / DC Studio)

Hackers are running malicious Google Ads campaigns targeting victims interested in the new Arc browser, with the aim of installing information-stealing malware on their Mac devices.

Cybersecurity researchers from Malwarebytes spotted a new campaign on the Google Ads network, seemingly promoting the new (and quite popular) Arc browser.

The campaign belongs to ‘Coles & Co’ and is linking to the domain name archost[.]org. However, people who click on the link are redirected to arc-download[.]com, a completely fraudulent site offering Arc for Mac only.

PR move

On the surface, the downloaded DMG file behaves just as a legitimate file would, except for the right-click to open trick which bypasses security protections.

What the victims actually end up with is Poseidon, a variant of Atomic Stealer (AMOS), a known infostealer capable of extracting all kinds of information from the target devices, from sensitive files, to cryptocurrency wallet data, to stored passwords, to browser data.

There seems to be plenty of code overlapping between AMOS and Poseidon, but its creator - a person with the alias Rodrigo4 - said they needed a unique brand to be better recognized in the underground community. 

“In simple words, people didn’t know who we were,” the developer said in a recent post.

Since the Google Ads network can show ads at the top of search engine results pages, being able to push malware through increases its chances for success dramatically. 

To run a malvertising campaign, threat actors steal people’s Google business accounts, verified for running advertising campaigns and having a linked credit card for payments. Then, they create an ad campaign which promotes fraudulent websites on the top of search engine results pages. Recently, cybersecurity experts started warning users to be careful when searching for things, and to type in known addresses instead of simply googling them.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Mac users targeted with new malware, so be on your guard
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
These fake macOS updates are actually just looking to spread malware
Fraude en ligne phishing
Google Search ads are being hacked to steal account info
A finger touching the google chrome icon in the Windows 10 start menu
A new Chrome browser highjacking attack could affect billions of users - here's how to fight it
A padlock resting on a keyboard.
Understanding and avoiding malvertizing attacks
Image of laptop infected with malware threat
This devious new macOS malware disguises itself as Chrome, Zoom installers
Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
Latest in News
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
More about security
botnet

YouTubers targeted by blackmail campaign to promote malware on their channels
A hacker wearing a hoodie sitting at a computer, his face hidden.

Experts warn this critical PHP vulnerability could be set to become a global problem
An image of a Jackbox Games Party Pack

Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
See more latest
Most Popular
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Ryzen AI Max+ 395
Race to launch most powerful AI mini PC ever heats up as GMKTec confirms Ryzen AI Max+ 395 product for May 2025
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Whirlwind I Computer
Happy birthday, Director! The first operating system in the world turns 70 today
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
Tesla Model 3
Tesla's EV sales are plummeting – as used Model Y and Model 3 prices crash to bargain levels
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound
A computer screen showing a spreadsheet in use.
This entire nation's public health department was found to be running on a single Excel spreadsheet