Bad actors are using malware disguised as credible software (such as 1Password, Bartender 5, and Pixelmator Pro) to infect Windows and macOS computers. The malware is being distributed through exploits hosted on both GitHub and FileZilla to efficiently infect the target computers.
The malware gives the group behind the operation, which originates from the Commonwealth of Independent States (CIS), access to elevated privileges on the infected computers. This allows them to turn off the security functionality and infect the computer with even more malware. While some of this malware will focus on gathering personal information, many of them can also target crypto wallets and banking software.
It also appears that the threat actors may be hosting the files in places beyond just GitHub and FileZilla, with fake application websites also sending redirects to payloads hosted on both Dropbox and Bitbucket. Cybersecurity firm Insikt Group says that the malware appears to be tied to a campaign that has been running since at least August 2023, which was designed to deliver malware including Lumma, RedLine, Vidar, Rhadamanthys, DarkComet RAT, and DanaBot.
This development is only one part of the ongoing news about these types of malware, including Activator, which is still a “very active threat,” according to The Hacker News. That one can disable the notification center on macOS while also launching multiple stages of Python scripts designed to be malicious and persistent.
This type of malware has, up to this point, been mostly distributed through SEO poisoning campaigns and malvertising (malware advertising). Because of the spread of this malware all across the internet, it is highly recommended that you avoid clicking on advertisements and sponsored results in web searches and on websites with third-party ads, as ad poisoning campaigns have been a popular method for spreading in the past, as well.