Infostealer Campaigns Expand to macOS as Attackers Abuse Python and Trusted Platforms
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Infostealer campaigns that once focused mainly on Windows are now expanding aggressively to macOS, using Python and trusted platforms to reach new victims. <\/p>\n
Recent attacks show a clear shift: threat actors are abusing online ads, fake apps, and familiar tools to quietly steal credentials, session cookies, and cryptocurrency data from Mac users. <\/p>\n
Cross\u2011platform Python stealers and macOS\u2011specific families like DigitStealer, MacSync, and Atomic macOS Stealer (AMOS) are at the center of this surge, turning everyday browsing and software installs into high\u2011risk events for consumers and businesses alike. <\/p>\n
These campaigns rely heavily on social engineering<\/a> to bypass users\u2019 trust. <\/p>\n Malvertising and search\u2011engine\u2011poisoned links lead to fake installers or \u201csystem fix\u201d utilities that appear legitimate, often wrapped in DMG images or seemingly harmless scripts. <\/p>\n Once executed, the payloads quickly move to harvest browser passwords, keychain entries, crypto wallets, and developer secrets. <\/p>\n For organizations, the theft of cloud credentials and source\u2011code access can open the door to deeper compromise, including supply chain attacks and ransomware.<\/p>\n Microsoft researchers noted<\/a> that recent infostealer waves blend macOS\u2011native techniques with flexible Python tooling to operate across multiple environments. <\/p>\n On macOS, the malware<\/a> leans on built\u2011in utilities and AppleScript automation to keep a low profile, while Python stealers are delivered widely through phishing emails and booby\u2011trapped attachments in corporate networks. <\/p>\n At the same time, attackers are weaponizing trusted platforms such as WhatsApp and fake PDF tools to push stealer payloads, making malicious traffic harder to distinguish from normal activity.<\/p>\n The infection chain typically begins with a lure that looks routine to the victim. <\/p>\n For macOS campaigns<\/a>, users are steered to spoofed download pages for tools such as DynamicLake or fake AI utilities, or tricked into copy\u2011pasting Terminal commands that supposedly fix browser or system issues. <\/p>\n When the user runs the installer or command, the malware uses native components like curl, base64 decoding, and gunzip to fetch and unpack additional payloads directly into memory, avoiding obvious file drops. <\/p>\n Scripts executed via osascript or JavaScript<\/a> for Automation then enumerate the system, query browsers and keychains, and stage stolen data in temporary archives.<\/p>\n Finally, the infostealer exfiltrates these archives to attacker\u2011controlled domains or command\u2011and\u2011control servers using HTTPS POST requests, often over newly registered or low\u2011reputation infrastructure, completing the compromise with few visible signs to the user.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Infostealer Campaigns Expand to macOS as Attackers Abuse Python and Trusted Platforms<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInfection mechanism: from lure to silent data theft<\/strong><\/h2>\n