Get In Touch
Block C, Stoneridge Office Park, Greenstone Hill, Johannesburg, 1609
Ph: +27 68 769 7423 (South Africa)
Other numbers:
Ph: +1 (424) 469-6359 (USA)
Ph: +260 77 902 4826 (Zambia)

#Cybersecurity Alert: ClearFake’s Atomic Stealer Malware (AMOS) expands to macOS with Deceptive Browser Updates

Using a Query

In a startling development, the ClearFake campaign, originally designed to deceive Windows users with fake Chrome update prompts, has expanded its reach to macOS. This shift, first observed by security researcher Ankit Anubhav on November 17, 2023, marks a concerning evolution in cyber threats. Malwarebytes reported that Mac users are now being duped into downloading the Atomic Stealer malware through fake Safari and Chrome update prompts on compromised websites.

The ClearFake campaign, initially documented by Randy McEoin, leverages breached sites to distribute fake browser updates using JavaScript injections. The recent adaptation to macOS is particularly alarming, as it involves crafting deceptive overlays mimicking official Apple Safari and Chrome pages. When users are tricked into clicking the “update” button, they unknowingly download a DMG file containing the Atomic Stealer, disguised as a browser update. Once executed, this malware requests the admin password and immediately launches malicious commands.

Atomic Stealer, discovered in April 2023 by Trellix and Cyble, is a sophisticated info-stealing malware. It is designed to harvest a wide array of sensitive data from macOS systems, including Keychain passwords (macOS’ built-in password manager), browser-stored passwords, cookies, credit card details, data from over 50 cryptocurrency extensions, and more. This extensive reach makes its compromise a significant threat to victims’ data security and privacy.

The modus operandi of the ClearFake campaign—leveraging smart contracts for redirect mechanisms—highlights the adaptability and cunning of modern cybercriminals. They have effectively broadened their attack surface, now encompassing macOS systems, which were previously considered less vulnerable to such threats. The ease with which payloads like AMOS can be modified to target different operating systems is a testament to the evolving landscape of cyber threats.

How does ClearFake Atomic Stealer work?

  1. Compromised websites: ClearFake leverages compromised websites to serve fraudulent web browser update notices in hopes of deploying stealers and other malware.
  2. Fake browser update prompts: The malware displays fake browser update prompts that urge users to download and install an urgent update.
  3. DMG or ZIP files: The prompts lead to the download of a DMG file or a ZIP archive containing the malware payload.
  4. Installation and execution: Once the malicious file is downloaded and opened, the malware is installed and executed.
  5. Data theft: Atomic Stealer steals a variety of sensitive information, including passwords, cookies, and credit card information.

How to protect yourself from ClearFake Atomic Stealer?

  1. Be cautious of fake update prompts: Be wary of unexpected browser update prompts, especially if they appear on websites you don’t recognize or trust.
  2. Keep your browser up to date: Regularly check for and install official browser updates from the developer’s website.
  3. Use a reputable antivirus or anti-malware program: Install and maintain a reputable antivirus or anti-malware program to detect and block malicious software.
  4. Practice safe browsing habits: Avoid clicking on suspicious links or attachments, and only download software from trusted sources.
  5. Be vigilant: Stay informed about the latest malware threats and trends to protect yourself from evolving cyberattacks.

What next?

The expansion of the ClearFake campaign to macOS underscores the critical importance of vigilance and robust cybersecurity measures for Mac users. Traditional assumptions of macOS being less susceptible to such attacks are no longer valid in the face of these evolving threats. Users must be wary of downloading updates from unverified sources and should rely only on official software update mechanisms. Additionally, organizations are encouraged to employ web protection tools to block malicious threat actors and safeguard their systems and data against such sophisticated social engineering attacks.

#cybersecurity #infosec #cybersecurityprofessional #cybersecurityawareness #cyberthreat #cyberattack #vulnerability #cybercrime #GRC


  1. BleepingComputer. (2023). Atomic Stealer malware strikes macOS via fake browser updates. Retrieved from
  2. Black Hat Ethical Hacking. (2023). ClearFake Campaign Targets macOS with Atomic Stealer Malware. Retrieved from
  3. Cyber Security News. (2023). ClearFake a New Malware Attacking Mac users via fake updates. Retrieved from

Humphrey Theodore K.
Humphrey Theodore K.
I am a strategic IT Service Management Consultant (ITSM) and Governance, Risk and Compliance (GRC) Specialist who is deeply engaged in tactical cybersecurity. At the C-Suite level, I guide leaders in navigating fluid and complex technology problems. I make organizations more efficient, secure and resilient. I consistently deliver smart solutions that increase return on technology investment. My approach ensures that technology is both a catalyst and a foundation for both growth and innovation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This website stores cookies on your computer. Cookies Policy