A widespread campaign aimed at stealing cryptocurrency is spreading a wave of infostealers through fake virtual meeting software for both macOS and Windows platforms, particularly targeting the former with the dangerous Atomic stealer.

Discovered by Recorded Future’s Insikt Group, the campaign attributed to a threat actor dubbed “Markopolo” is responsible for an elaborate Web and social media presence for a fake app called Vortax, according to a report (PDF) published this week.

Vortax is purported to be virtual meeting software for various platforms but actually is a delivery mechanism for three infostealers: Rhadamanthys, Stealc, and Atomic, the researchers found. Attackers target cryptocurrency users in the campaign through social media and Telegram channels for the purpose of stealing credentials, so they can in turn steal crypto from them, according to Insikt.