Phexia is a macOS information-stealing malware family observed as an emerging entrant in the macOS stealer ecosystem toward the end of 2025. It is grouped with other macOS stealers that pursue theft of user data and credentials, and has been cited alongside Atomic Stealer, Odyssey, MacSync Stealer, and DigitStealer as part of the broader rise in macOS-focused infostealer activity. Available reporting places Phexia among comparatively less common families seen during that period. High-confidence public details about its internal implementation, delivery chain, persistence mechanisms, operator attribution, and specific collection scope are currently not available.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Adversaries began using those same paste-and-run methods on macOS, replacing PowerShell with a combination of shell script and AppleScript code.
Once the fateful paste into a Terminal window took place, the traditional AppleScript stealer code we’ve observed in previous years executed to gather data and exfiltrate.
Adversaries began exploring how they could distribute malware in script form to evade Gatekeeper entirely... Adversaries began using those same paste-and-run methods on macOS... Once the fateful paste into a Terminal window took place, the traditional AppleScript stealer code we’ve observed in previous years executed to gather data and exfiltrate.
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as another macOS stealer family used for comparison with CrashStealer.
Referenced as another macOS stealer family with overlapping objectives to CrashStealer.
Referenced only as another infostealer family for comparison with CrashStealer.
A macOS stealer family newly observed toward the end of 2025 and among the least common observed stealers.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.