Advanced Mac malware attack discovered: popular free apps used as cover

An alarming Mac malware attack has come to light, using free versions of popular apps including screen recording utility Loom, cryptocurrency manager LedgerLive and MMO game Black Desert Online to trick unsuspecting users.

Well organized attack

The attack appears to be well-organized, with fake Mac app offers promoted through legitimate-looking Google ads and phishing emails.

The malware campaign was discovered by Moonlock, a cybersecurity group within MacPaw, the developer of the CleanMyMac app. According to Moonlock, the attack initially appeared to be aimed solely at a Loom impersonation.

“At Moonlock Lab, we recently discovered an advanced and alarming threat spreading via Google-sponsored URLs. This stealer malware targets macOS and masquerades as the popular application Loom,” a Moonlock spokesperson said.

Investigation started after a fake Google Ad

The investigation began when a Google ad appeared that appeared to promote the official Loom app. While the ad appeared legitimate and enticed users to click, the link turned out to be malicious.

Further research showed that advertisements and promotions for other apps were also used to spread the same malware. Some of the affected apps include:

• Black Desert Online;
• Calendly;
• Chrome;
• Figma;
• Firefox;
• Gatherum;
• LedgerLive;
• PartyLauncher;
• Safari;
• Zoom.

One of the phishing campaigns specifically targets YouTube creators, offering them a supposedly creator-specific download link for Black Desert Online.

The LedgerLive link is particularly dangerous because it replaces the real app when downloaded, allowing attackers to access and drain victims’ cryptocurrency wallets. The malicious clone closely mimics the look and feel of the legitimate app, making it difficult for users to detect the breach.

The malware can steal files, hardware information, passwords, browser data, and keychain dump credentials, among other things.

It is believed that a well-organized group known as Crazy Evil is behind this campaign.

Users are advised to only download apps from the Mac App Store or trusted developer sites, and to ensure that the URL does not change to a different domain when clicking the download link.