A wave of malicious search ads is targeting macOS users by impersonating popular software brands, security researchers warn. The latest campaign focuses on LastPass, the password manager, and has been used to push a credential-stealer onto unsuspecting users.
LastPass on Friday detailed the operation, saying attackers used search-engine optimization to place LastPass macOS ads at the top of results on Google and Bing. When clicked, the ads redirected to fraudulent GitHub pages that purported to offer an official LastPass installer but installed malicious software instead.
Researchers say the payload is a macOS credential stealer known as Atomic Stealer, or Amos Stealer. The pages hosted on GitHub purported to provide LastPass installers, but instead loaded the credential thief. LastPass acknowledged the takedown of the two GitHub sites and urged users to monitor for indicators of compromise.
Beyond LastPass, the campaign impersonated other software and services, including 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird and TweetDeck. The ads used prominent fonts to amplify the false branding and redirected to GitHub pages hosting the malicious payload.
The incident underscores the growing risk from brand impersonation and malvertising, which security teams say can lead to credential theft and other compromises. Analysts say takedowns and sharing indicators of compromise (IoCs) are essential as companies monitor for similar campaigns.