By rssfeeds-admin 
While the malware itself uses advanced evasion on Apple M2 hardware, its rigid use of the same hosting provider, domain patterns, and server stack makes much of the supporting command‑and‑control (C2) network surprisingly easy to fingerprint.
macOS Stealer With A Uniform C2 Blueprint
DigitStealer was first detailed by Jamf Threat Labs in November 2025 as a JavaScript for Automation (JXA)‑based macOS infostealer that targets 18 cryptocurrency wallets, browser profiles, and macOS keychain data, with a strong focus on Apple Silicon devices.
It is typically delivered via malicious disk images impersonating legitimate macOS utilities, such as DynamicLake, with distribution via spoofed websites and related lures.
Once executed, the malware runs hardware and environment checks to avoid sandboxes and virtual machines, then proceeds with a staged execution chain that keeps most logic in memory to limit artifacts on disk.
Each stage focuses on a specific task: credential theft, file collection, Ledger Live tampering, and persistence, culminating in a backdoor that polls the C2 for new AppleScript or JavaScript payloads every 10 seconds.
Notably, DigitStealer does not expose a shared web panel for “customers,” which sets it apart from many malware‑as‑a‑service (MaaS) info‑stealers and hints at a more closed, tightly controlled operation.
The final backdoor component sends the MD5-hashed hardware UUID of the infected Mac to the C2 at a fixed polling interval, providing operators with a persistent host identifier while keeping raw hardware details opaque on the wire.
Before any tasking is accepted, the C2 server can issue a cryptographic “challenge” with an associated “complexity” level, requiring the malware to compute a number that, when hashed with the challenge, matches a specific pattern; only then does DigitStealer receive a valid session token and task list.
Infrastructure Patterns Suggest A Single Operator Or Small Team
Pivoting on these IPs using threat‑hunting platforms reveals clusters where multiple .com domains are co‑hosted, with nginx HTTPS servers on port 443 and OpenSSH services reporting nearly identical version strings (e.g., OpenSSH 9.6p1/10.x on Ubuntu), reinforcing that the same playbook and build pipeline are being reused.
WHOIS and DNS records further narrow the operator profile: most domains are registered via Tucows and consistently configured with Njalla nameservers.
According to Cyber and Ramen, this privacy‑oriented provider has repeatedly appeared in infrastructure linked to ransomware and other malware campaigns.
Combined with the single ASN preference, homogeneous server stack, and lack of reseller‑style panels, this strongly indicates that DigitStealer is run by a single actor or a very small team, rather than a large MaaS ecosystem where multiple affiliates pick their own hosting and registration strategies.
| IP Address | Domain | ASN |
| 80.78.30[.]90 | beetongame[.]com | ab stract ltd |
| 80.78.25[.]205 | binance.comtr-katilim[.]com yourwrongwayz[.]com chiebi[.]com |
ab stract ltd |
| 80.78.30[.]191 | tribusadao[.]com theinvestcofund[.]com cekrovnyshim[.]com |
ab stract ltd |
| 80.78.30[.]146 | ebemvsextiho[.]com th6969[.]top |
ab stract ltd |
Defenders can exploit these mistakes by building a query or script that checks for C2 endpoint characteristics, looks for JSON responses that expose challenge and complexity fields, and correlates positive hits with WHOIS data showing Tucows registration and Njalla nameservers to flag likely DigitStealer infrastructure at scale.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post macOS Users Targeted By DigitStealer Infostealer, Highlighting Security Gaps appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.