Emerging Threats

macOS stealer Poseidon is spread via ads for the Arc browser

Ray Fernandez

Jul 4, 20246 min read

macOS stealer Poseidon is spread via ads for the Arc browser: Header image

Information stealers, currently among the top most dangerous cybercriminal threats to Apple devices, are often distributed via malicious Google Ads that impersonate known brands. Now, leveraging the increasing popularity of the Arc web browser among Apple users, cybercriminals have launched a new campaign to infect macOS.

This new stealer, known as Poseidon, presents itself to users as the legitimate Arc web browser. In reality, it breaches Apple devices with highly damaging malware. 

Poseidon: VPN looting capabilities and where it came from

On June 27, Malwarebytes reported that they had identified a new criminal campaign distributing a Mac stealer via Google Ads for the Arc web browser. 

Most of the code of the new stealer — dubbed Poseidon by Rodrigo4, a known Russian-speaking threat actor — is based on the infamous Atomic Stealer (AMOS). As reported by Moonlock Lab, the new malware first appeared under the name OSX.RodStealer. It was later rebranded by Rodrigo4. 

Poseidon brings some new features and capabilities to the table, including the looting of VPN configurations.

By looting VPN configurations, the malware allows bad actors to steal the settings needed to connect to a virtual private network (VPN). These settings can include server addresses, usernames, and passwords.

VPN configurations are like keys to a virtual door. If someone steals them, they can access the private network you’re trying to protect. This could be your company network or even your personal network at home.

What can Poseidon do? 

Distributed via the XSS underground forum, Poseidon has capabilities that are similar to Atomic Stealer, as it shares most of its base code. 

The malware provides attackers with a command and control panel and a builder to customize the malware. Plus, it can handle AppleScript. 

An image of the Poseidon command control center, showing that it is still active.
The Poseidon command control center (C2) is still active. Screenshot: Moonlock.

Poseidon should not be underestimated, as it is able to:

  • Breach Safari, Chrome, Brave, Edge, Opera, Vivaldi, Firefox, and other browsers
  • Offer criminals a customizable FileGrabber
  • Extract data from users’ systems, such as data from Notes (including photos within Notes) and Keychain 
  • Access FileZilla and VPNs, including OpenVPN, Fortinet, and others 
  • Extract data from 163 crypto wallets
  • Provide bad actors with full, detailed information about the infected system
  • Access and steal data from password managers such as Bitwarden and KeePassXC
  • Extract browser data, including cookies, passwords, and history 

Attribution: Who is behind Poseidon? 

Jérôme Segura, Principal Threat Researcher at Malwarebytes, attributed Poseidon to a threat actor that goes by the handle Rodrigo4. Rodrigo4 is not a new player in the underground world. 

On June 4, Moonlock reported that Rodrigo4 was linked to a macOS stealer that was posing as a CleanMyMac crack

Back then, Rodrigo4 utilized the same underground forum, XXS, to find partners to distribute a stealer through SEO manipulation and Google Ads techniques. This has become a popular vector of attack for malware distributors.

Through SEO manipulation, malware is capable of tricking search engine algorithms and the Google Ads platform. Malware distributed via this method usually ranks high in Google results, often appearing in the first positions or at the top of Google search results first pages. 

This distribution and promotion technique that Rodrigo4 is using to distribute Poseidon is identical to the previous impersonation of CleanMyMac. 

In the past, macOS stealers have impersonated brands via Google Ads. Examples of impersonated brands include Slack, Midjourney, ChatGPT, AI apps, Mac utility apps, finance apps, and blockchain and web3 games. Poseidon is likely to shapeshift shortly to impersonate another brand as the public becomes more aware of the Arc browser impersonation campaign. 

Poseidon’s first distribution chain 

Malwarebytes has identified specific malicious fake Google Ads offering Arc browser downloads. Their investigation revealed that ads directed victims to a fake site: arcthost[.]org.

Mac users seeking to download Arc should double-check that they are accessing the correct URL. The official site for Mac and Windows downloads is arc.net/download. 

Arc is not available on the Apple Store for Mac, although iPhone and iPad users will find an entry in the Apple Store known as Arc Search — a lightweight version of the Arc web browser. 

As mentioned, the popularity of Arc has become a double-edged sword. This is not the first time that the new browser has been targeted by cybercriminals.

“This is the second time in the past couple of months that we see Arc being used as a lure, certainly a sign of its popularity,” said Jérôme Segura of Malwarebytes. “It was previously used to drop a Windows RAT, also via Google Ads.”

Malwarebytes also identified an ad for the Arc browser belonging to “Coles & Co” linking to the domain name arcthost[.]org. Those who clicked on the ad were redirected to arc-download[.]com. 

A screenshot of a web browser showing a defunct Poseidon malware distributing website.
An example of a Poseidon bad actor website linked to macOS malware distribution, since deleted to erase digital traces. Image: Screenshot Moonlock.

Downloading the Poseidon malware will trigger a normal DMG file download. However, to bypass Apple security protocols, users are asked to right-click to open/install the downloaded executable file. Users should never right-click to install an app on their Macs. 

Malwarebytes also identified the command and control site where malware users log in and can run campaigns at http:// 79.137.192[.]4.

What to expect in the near future from Poseidon 

Our investigation revealed that of all the sites and domains linked to Poseidon by Malwarebytes, none but the C2 panel remain active. The reason for this is straightforward. Cybercriminals rapidly take down the fake websites they use for malicious purposes when a cybersecurity investigation exposes their operations. 

This in no way means that Poseidon is out of the game. In fact, the speed at which these sites have been taken down signals that those using Poseidon had a plan in place for when an investigation uncovered a site, and they acted swiftly to remove all digital traces. 

A screenshot showing that the websites identified by Malwarebytes as distributing Poseidon malware have vanished.
The websites identified by Malwarebytes as distributing Poseidon malware have vanished swiftly. However, the command and control panel is still active. Image: Screenshot.

Sophisticated malware distribution campaigns that use fake sites and fake Google Ads, such as the Atomic Stealer, have taught us that rebranding and relaunching campaigns once specific vectors have been exposed can be done very rapidly. Cybercriminals often create several fake websites, ads, and impersonation campaigns. The dormant, redundant online infrastructure goes active once fake sites in use are exposed. 

This technique leaves cybersecurity experts playing an infinite game of Whac-A-Mole. As soon as they catch one fake site, another one just pops up. 

Whether Poseidon will continue to impersonate Arc or not is impossible to determine at this stage. Regardless, it is likely that this is not the last time we’ll hear from Poseidon. 

Much like Atomic Stealer, which has shapeshifted by pretending to be a wide array of different software, we can expect Poseidon to follow the same strategy.

Apple users, therefore, must be aware not only of how Poseidon attempts to trick them by passing itself off as the Arc web browser, but aware that bad actors could have already deployed other similar campaigns and are now impersonating a different brand or service. 

To this end, always keep your devices up to date, do not follow Google Ads when downloading software, double-check URLs, and only download apps from official websites that have been verified or through the official Apple App store. 

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.