Do You Use macOS and Receive a Benito Juárez Scholarship? It’s Time to Stay Alert. A new and sophisticated cyberattack campaign is putting thousands of macOS users worldwide at risk — and Mexico is no exception. Recently, hackers managed to infiltrate malware into more than 3,000 legitimate websites, including domains that appear official or harmless, such as those related to the Benito Juárez Scholarship.
Using a technique known as a watering hole, attackers compromise websites that potential victims frequently visit. Instead of sending malicious emails or deceptive messages, they patiently wait for the user to arrive on their own — like a trap hidden in an otherwise normal webpage. These cybercriminals aren’t after random data: they are specifically targeting Apple system users who access educational portals.
How Does the Attack Work?
When you visit one of these infected sites from a Mac, the first thing you see is a fake CAPTCHA (yes, the ones that ask you to confirm you're not a robot). But this one isn't real. If you click it, you unknowingly trigger a hidden chain of actions:
-
The site checks if you are using a Mac (it detects this by reading your browser information).
-
If so, it launches an advanced trick: it uses a blockchain contract on the Binance Smart Chain employing a technique called EtherHiding. This method hides malicious code inside the blockchain itself, making it much harder to detect.
-
It then automatically copies a command to your clipboard (where copied text or data is temporarily stored).
-
The page suggests (using some excuse like “fixing a browser error”) that you paste that code into the macOS Terminal.
-
If you do, the code downloads a script that installs malware called Atomic Stealer. This program steals passwords, banking data, cryptocurrency, and even information from your system.
All of this happens without raising suspicion, using websites that seem completely trustworthy.
Read more: Mexico Leads Cyberattacks in the Financial Sector in Latin America
Who Discovered This Attack?
The first to detect this type of attack was a cybersecurity researcher named Vesec, who named it MacReaper due to its ability to steal large amounts of information without the user noticing. This malware combines several advanced techniques: it uses blockchain infrastructure, obfuscated JavaScript, smart contracts, and even commands executed in the macOS Terminal.
After the initial report, other experts confirmed that at least 29 sites with Mexican domains had been compromised. Among them were pages such as:
-
becabenitojuarez.mx
-
sistemaderiego.mx
-
elresbaladero.com.mx
-
hellobody.mx
-
outletdemarcas.com.mx
Of these, 21 were confirmed to still be active and could continue to pose a risk.
How to Protect Yourself if You Use a Mac
Here are some practical tips to stay safe:
-
Never paste commands into the Terminal unless you know exactly what they do. This is precisely the tactic attackers use.
-
Carefully check website addresses. For example, the official Benito Juárez Scholarship site is gob.mx/becasbenitojuarez.
-
Do not install software from untrusted websites.
-
Use a good antivirus for macOS. While many believe Macs can't get infected, this case proves otherwise.
An Attack That Goes Far Beyond Mexico
Vesec also warned that this campaign is not an isolated issue. It’s estimated that around 3,000 websites worldwide may be compromised. This is a large-scale operation, designed to go unnoticed and specifically target Mac users who browse trusted sites without falling for obvious phishing emails or other common scams.
This type of attack signals a new phase in digital fraud. Instead of tricking the user into falling for obvious traps, now the user unknowingly executes the malware themselves.
