Security researchers warn that malicious ads on search engines impersonate a wide range of services to recruit Macs into a credential-stealing campaign. The latest high-profile target is LastPass users.
LastPass disclosed a campaign that used search-engine optimization to push ads for LastPass macOS apps to the top of results on Google and Bing. Clicking these ads led to fraudulent GitHub pages that claimed to offer LastPass installers for Macs.
The pages instead installed a macOS credential stealer known as Atomic Stealer, also referred to as Amos Stealer by researchers. The campaign appears widespread, with takedown and disruption efforts ongoing.
LastPass notes the scam mirrors broader brand impersonation: other software and services targeted in similar ads include 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird, and TweetDeck. Ads typically present in bold fonts and redirect to GitHub pages that install versions of Atomic disguised as legitimate software.
In many cases, attackers lure Mac users into downloading disguised installers, which circumvent Gatekeeper protections by automating installation via prompt-like prompts or CAPTCHA bypass tactics. Security researchers say this technique has evolved over the past two years as defenders attempt to block it.
Users should only download software from official sites, avoid clicking suspicious ads, and verify publishers before installing anything. Enterprises should monitor for IoCs and keep an eye on the indicators LastPass and others have shared to help detect similar threats.
