In a recent investigation, cybersecurity firm Moonlock Lab uncovered a sophisticated malware campaign targeting macOS users. The malware, disguised as the popular screen recording application Loom, is distributed through deceptive Google-sponsored links. Once clicked, these links redirect users to a counterfeit website that closely mimics the official Loom site, tricking them into downloading a malicious file instead of the legitimate app.
Widespread Campaign
The extent of this campaign is alarming, with the malware not only impersonating Loom but also other widely used applications such as Figma, TunnelBlick (VPN), and Callzy. One particularly notable fake app is the “BlackDesertPersonalContractforYouTubepartners,” which appears to target YouTube content creators with phishing schemes.
Malicious LedgerLive Clone
One of the more troubling aspects of this campaign is the presence of a malicious clone of the LedgerLive app. Cryptocurrency holders use LedgerLive to manage their assets, making it an attractive target for cybercriminals. By replacing the legitimate app with a harmful version, attackers can potentially access and drain victims’ cryptocurrency wallets.
Darknet Recruitment
Further investigation revealed recruitment ads on the darknet, posted by a group called Crazy Evil. These ads seek individuals to join their team and exploit various formats to target victims, including replacing Ledger on macOS. The Crazy Evil group appears to be well-organized, communicating with partners and recruits via a Telegram bot.
This macOS stealer campaign underscores the importance of vigilance and proactive security measures. Users should always verify the URLs they visit and be cautious of downloading applications from unverified sources. Regularly updating software and using anti-malware tools like CleanMyMac X can help protect against such threats.