- Microsoft warned in February 2026 that information-stealing malware is aggressively targeting macOS systems through fake ads and installers.
- Threat actors are using cross-platform languages like Python to deploy stealers such as PXA, Atomic macOS Stealer (AMOS), and Eternidade.
- The infection chains start with malvertising and social engineering, leading to credential theft from browsers, financial accounts, and cryptocurrency wallets.
In February 2026, Microsoft‘s security team issued a stark warning that infostealer attacks are rapidly expanding to target Apple’s macOS environment. This strategic shift leverages social engineering and trusted platforms to deliver malicious payloads at scale.
Since late 2025, attackers have tricked users with “ClickFix” lures distributed via fake sites. Consequently, these sites promote disk image installers for popular tools like DynamicLake and AI applications.
The campaigns deploy malware families including Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. These tools use native macOS utilities and automation to steal web credentials, iCloud Keychain data, and developer secrets.
Microsoft said Python-based stealers allow attackers to rapidly adapt and target diverse systems. These threats typically harvest login credentials, session cookies, and cryptocurrency wallet information.
One example is the PXA Stealer, linked to Vietnamese-speaking actors, which launched phishing campaigns in late 2025. The malware establishes persistence and uses Telegram for command-and-control communications.
Meanwhile, other threat groups have weaponized messaging apps like WhatsApp to distribute the Eternidade Stealer. This campaign, documented in November 2025, specifically targets financial and crypto accounts.
Further campaigns involve fake software like Crystal PDF, spread through search engine poisoning. These installers deploy a Windows-based stealer designed to silently collect browser data from Firefox and Chrome.
Organizations are advised to educate users on social engineering and malvertising risks. They must also monitor for suspicious terminal activity and network egress to newly registered domains.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
