A new cyber threat targeting Mac users has been uncovered, involving a stealer named “Poseidon” distributed through malicious Google ads for the popular Arc browser. The malware campaign, observed on June 24, 2024, marks the second instance of Arc being used as a lure. Previously, it had been exploited to distribute a Windows RAT. The Poseidon stealer, developed by the threat actor Rodrigo4, builds on the code base of the notorious Atomic Stealer and introduces new features like VPN configuration theft.
Rodrigo4’s rebranded malware, tracked by Malwarebytes as OSX.RodStealer, is advertised on cybercrime forums and offers functionalities such as file grabbing, crypto wallet extraction, and password manager data theft. Users clicking on malicious ads are redirected to a fake site, where they inadvertently download the compromised software.