Microsoft cautions: Infostealers are no longer limited to Windows and are actively exploring macOS. This is noted in a new study by the Microsoft Defender Security Research team, focused on the evolution of data-stealing malware. Whereas previously these “digital pickpockets” primarily targeted Windows users, now they confidently operate within the Apple ecosystem as well. Attackers increasingly use cross-platform languages like Python, and disguise malicious code delivery as perfectly harmless applications: PDF editors, utilities, and even messengers. According to Microsoft data, since late 2025, the number of campaigns specifically aimed at macOS has visibly increased. Social engineering tactics are employed, including the popular ClickFix scheme, as well as fraudulent installers. This is how specialized malware like DigitStealer, MacSync, and Atomic macOS Stealer (AMOS) spreads. These are not just adapted versions of Windows malware. Assailants actively utilize native macOS tools, AppleScript, and “fileless” techniques to stealthily extract data from browsers, keychains, sessions, and even development environments. This method allows them to operate covertly and bypass conventional security measures. One illustrative example is the fake Crystal PDF application, which was promoted as a useful document-handling utility. In the autumn of 2025, it was heavily pushed through malicious advertising and SEO manipulation in Google Ads. After installation, Crystal PDF entrenched itself in the system and began pilfering data from Firefox and Chrome browsers, including cookies, sessions, and saved credentials. Essentially, all of the user’s browser activity ended up in the hands of the attackers. Even more ingenious was Eternidade Stealer. This malware employs a worm-like distribution pattern and utilizes WhatsApp (owned by Meta, recognized as extremist and banned in Russia). An internal Python script automates message distribution via compromised accounts, gathers the victim’s contact list, and sends them malicious attachments. After infection, the malware constantly monitors active windows and processes, waiting for the moment the user accesses a banking service, payment system, or crypto exchange like Binance, Coinbase, or Stripe.
About the Author
