Malware attack on macOS users in the name of AGOV
28.06.2024 - On the evening of June 27, 2024, cybercriminals launched an extensive "malspam" campaign targeting residents of German-speaking Switzerland. Via emails purporting to be from AGOV, they are attempting to infect macOS devices with the malware "Poseidon Stealer" to infect.
Report security vulnerabilities
Cyber criminals are currently sending e-mails that falsely give the impression that they come from AGOV. AGOV is Switzerland's official government login and is used by various government agencies, for example for electronic tax returns. The Federal Office for Cybersecurity (BACS) is currently receiving numerous reports of such fraudulent e-mails. In these messages, recipients are asked to download a software package, allegedly a desktop version of the AGOV access app. In reality, however, this app only exists for smartphones.
The emails contain links to Microsoft's Bing search engine, which redirect the victims to another website. From there, users are redirected again to a page offering a software package for macOS. As soon as the file is downloaded and executed, the computer is infected with the "Poseidon Stealer" malware. This malware steals various data from the infected device and transmits it to the attackers.
Example of a fake AGOV e-mail

The BACS strongly recommends deleting such fraudulent emails immediately. If the malware has already been downloaded and installed, the affected device should be reinstalled immediately.
For cybersecurity experts, the BACS provides additional technical information and Indicators of Compromise (IOCs), which can be accessed on the GovCERT GitHub page: