Sophisticated Malware Campaign Targets macOS Users Through Fake Software Updates

A new malware campaign called "UpdateAgent 3.0" is targeting macOS users through convincing fake software update notifications delivered via malicious advertisements and compromised websites. The malware delivers a sophisticated info-stealer capable of extracting passwords from Keychain, cryptocurrency wallets, browser session tokens, and SSH keys.

The fake update notifications precisely mimic Apple's genuine macOS update UI, including the System Preferences/Settings icon, Apple logo, and the standard update dialog text. Users who click "Install Now" are prompted to enter their administrator password, which the malware captures and uses to install its payload.

UpdateAgent 3.0 is signed with a legitimate Apple Developer certificate (since revoked) and uses advanced evasion techniques including checking for virtual machine indicators, security research tools, and network analysis software before activating its malicious functionality.

The malware's data exfiltration module can extract credentials from Safari, Chrome, Firefox, and Brave browsers, as well as popular password managers including 1Password and Bitwarden if they are unlocked. Stolen data is encrypted and exfiltrated to attacker-controlled servers via DNS-over-HTTPS queries.

Apple has revoked the malicious certificate and updated XProtect signatures to detect UpdateAgent 3.0. Users are reminded that genuine macOS updates are delivered exclusively through System Settings > Software Update and never through browser pop-ups or notification banners.