In a technical analysis, Microsoft warned that Python-based information stealers have expanded to target macOS since late 2025, using malvertising and fake DMG installers to deploy families such as AMOS, MacSync, and DigitStealer.
KEY FACTS
- Incident macOS-targeted infostealer campaigns using Python and DMG installers
- Targets browser credentials, session cookies, iCloud Keychain, developer secrets
- Distribution malvertising via Google Ads, fake sites with ClickFix lures, and phishing emails
- Examples observed families include AMOS, MacSync, DigitStealer, and PXA Stealer
Campaigns have delivered disk image installers that launch payloads with minimal on-disk footprints. Operators leverage fileless execution, native macOS utilities, and AppleScript automation to harvest browser data and system credential stores.
Malvertising and SEO poisoning redirect users searching for AI and developer tools to counterfeit sites that present ClickFix copy and paste prompts or fake installers. Those lures trick users into running installers that install stealers.
Some activity overlaps with Windows campaigns. Two PXA Stealer campaigns observed in October and December 2025 used phishing emails for initial access, persistence via registry Run keys or scheduled tasks, and Telegram for command and control and data exfiltration.
Threat actors have also weaponized messaging apps such as WhatsApp to spread malware like Eternidade Stealer and used fake PDF editors such as Crystal PDF to drop Windows stealers. Recommended mitigations include user education on malvertising and ClickFix prompts, monitoring Terminal and iCloud Keychain access, and inspecting outbound POST requests to newly registered domains.
WHY IT MATTERS
Infostealer compromises can expose credentials and authentication tokens that enable broader breaches, business email compromise, supply chain intrusions, and ransomware. Detecting suspicious installers and monitoring credential stores can reduce exposure to these threats.