Cybercriminals spread malware for macOS in emails purportedly from AGOV

28.06.2024 - On the evening of 27 June 2024, cyber criminals launched a major 'malspam' campaign against citizens in German-speaking Switzerland. An attempt is being made to infect computers using the macOS operating system with malware called 'Poseidon Stealer' via an email purporting to be from AGOV.

Melden Sie Schwachstellen

Cyber criminals are currently sending emails purporting to come from AGOV. AGOV is Switzerland's government login, which citizens can use to access services provided by the federal, cantonal and communal authorities, e.g. to complete their tax returns online. The NCSC is currently receiving numerous reports of these bogus emails. In the emails, recipients are asked to download a software package. Among other things, it is claimed that the AGOV access app will be available as a desktop application. This is not the case. The AGOV access app is only available for smartphones.

The bogus emails contain a link to Microsoft's search engine 'Bing', which redirects the victim to another website. On this website, the victim is redirected to a further website which offers a software package for Apple's macOS. If the victim downloads the file and executes it, the computer is infected with a malware called 'Poseidon Stealer'. Once this malware is installed on a device, it steals various data from the victim's computer and sends them to the cyber criminals.

Screenshot of the malware email purportedly in the name of AGOV
Screenshot of the malware email purportedly in the name of AGOV

Working with its partners, the NCSC has introduced suitable defence measures to reduce the threat.

The NCSC recommends that recipients delete the bogus email immediately. It advises users who have downloaded and installed the malware to reset the affected device immediately.

The NCSC has compiled additional technical information and 'indicators of compromise' (IOCs) for cyber security experts, which are available on the GovCERT Github page: