Skip to main content

Mac malware posing as apps like Loom, LedgerLive, and Black Desert Online

A “sophisticated and alarming” Mac malware attack is being carried out in the guise of free versions of popular apps like the screen recording utility Loom, cryptocurrency manager LedgerLive, and MMO game Black Desert Online.

It appears to be a well-organized attack, with the fake Mac app offers promoted through a combination of legitimate-looking Google ads and phishing emails …

The malware campaign was discovered by Moonlock, a cybersecurity group within MacPaw, the developer behind the CleanMyMac app. The team says that initially it appeared to be limited to mimicking Loom.

At Moonlock Lab, we’ve recently uncovered a sophisticated and alarming threat spreading through Google-sponsored URLs. The threat, a stealer malware targeting macOS, poses as the popular application Loom, a widely used screen recording tool.

Our investigation kicked off when we noticed a Google ad that appeared to promote the official Loom application. At first glance, it looked legitimate, enticing users to click on what seemed to be a trusted source. However, upon clicking the link, things took a nasty turn.

But further investigation found that ads and promos for other apps were also being used to push the same malware. These include:

  • Black Desert Online
  • Calendly
  • Chrome
  • Figma
  • Firefox
  • Gatherum
  • LedgerLive
  • PartyLauncher
  • Safari
  • Zoom

At least one of the phishing campaigns specifically targets YouTube creators, claiming to offer them a creator-specific download link to Black Desert Online.

The LedgerLive link is especially dangerous as, when downloaded, it replaces the real app.

By replacing the genuine app with a harmful version, attackers can potentially access and drain victims’ cryptocurrency wallets. This can lead to financial losses, as the malicious clone is designed to closely mimic the legitimate app’s appearance and functionality, making it difficult for users to detect the compromise.

[It is capable of] grabbing files, hardware information, passwords, data from browsers, keychain dump credentials, and more.

A well-organized group known as Crazy Evil is believed to be behind the campaign.

As always, only ever download apps from the Mac App Store or trusted developer sites, and check that the URL doesn’t change to a different domain when hitting the download link.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications