Microsoft has issued a warning that information-stealing attacks are "rapidly expanding" beyond Windows to target Apple macOS environments by abusing trusted platforms for large-scale distribution and utilizing cross-platform languages like Python. Since late 2025, the tech giant's Defender Security Research Team has reported seeing infostealer campaigns targeting macOS that use social engineering techniques like ClickFix to distribute disk image (DMG) installers that launch stealer malware families like Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. It has been discovered that the campaigns enable data theft through the use of methods like fileless execution, native macOS utilities, and AppleScript automation.

This contains information such as developer secrets, iCloud Keychain, and session data and web browser credentials.

These attacks typically begin with a malicious advertisement, frequently displayed through Google Ads, that directs users looking for tools like DynamicLake and artificial intelligence (AI) tools to phony websites that use ClickFix lures, deceiving them into infecting their own computers with malware. According to Microsoft, "attackers are using Python-based stealers to quickly adapt, reuse code, and target heterogeneous environments with minimal overhead." Usually disseminated through phishing emails, they gather credit card numbers, crypto wallet information, session cookies, authentication tokens, and login credentials."

One such thief is PXA Stealer, which is associated with threat actors who speak Vietnamese and has the ability to gather browser data, financial information, and login credentials.

The Windows manufacturer claimed to have discovered two PXA Stealer campaigns that used phishing emails to gain initial access in October 2025 and December 2025. Attack chains used Telegram for data exfiltration and command-and-control communications, and registry Run keys or scheduled tasks for persistence. Furthermore, malicious actors have been seen using well-known messaging apps like WhatsApp as weapons to spread malware like Eternidade Stealer and access cryptocurrency and financial accounts.

In November 2025, LevelBlue/Trustwave released campaign details to the public.

A Windows-based stealer that can surreptitiously gather cookies, session data, and credential caches from Mozilla Firefox and Chrome browsers has been used in other stealer-related attacks. These attacks have focused on phony PDF editors, such as Crystal PDF, which are disseminated through malvertising and search engine optimization (SEO) poisoning through Google Ads. Organizations are advised to educate users on social engineering attacks, such as ClickFix-style copy-paste prompts, malvertising redirect chains, and fake installers, in order to combat the threat posed by infostealer threats.

Additionally, it is recommended to keep an eye out for suspicious Terminal activity and iCloud Keychain access, as well as to check network egress for POST requests to suspicious or recently registered domains.

"Data breaches, unauthorized access to internal systems, business email compromise (BEC), supply chain attacks, and ransomware attacks can result from being compromised by infostealers," Microsoft stated.