DigitStealer Malware Targets macOS M2+ Devices and Cryptocurrency Wallets
A new macOS infostealer named DigitStealer has been discovered targeting users with Apple M2 or newer devices. The malware is distributed via a fake utility app called DynamicLake, which is hosted on a spoofed website. Victims are tricked into dragging a file into Terminal, initiating a largely fileless infection chain that executes malicious code directly in memory, making detection and remediation difficult. DigitStealer employs advanced anti-analysis techniques, including hardware and locale checks, to evade security tools and avoid infecting virtual machines or systems outside its target region.
The malware demonstrates a high level of sophistication by hijacking legitimate cryptocurrency wallet software such as Ledger Live using JXA (JavaScript for Automation) and communicating with its command-and-control infrastructure via DNS-based channels. Its primary goal is to steal sensitive information, including files, passwords, and browser data, from macOS users. Security researchers warn that DigitStealer's platform-specific targeting and stealthy operation pose significant new challenges for defenders, especially as it remains undetected by many traditional antivirus solutions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Technical analysis reveals Ledger Live hijacking and DNS-based C2
Further reporting described DigitStealer's advanced capabilities, including hijacking Ledger Live, stealing browser, wallet, VPN, and Telegram data, and using JXA and DNS-based command-and-control to operate stealthily on infected Macs.
Malwarebytes adds detection for DigitStealer
Malwarebytes said its Mac product detects the threat as MacOA.Stealer.DigitSteal and warned users to avoid suspicious Terminal commands and keep software updated as defenses against the new stealer.
DigitStealer delivery chain using fake DynamicLake app is documented
Researchers reported that the malware is distributed through a fake utility application called DynamicLake, which tricks users into executing a malicious Terminal command that launches a multi-stage, largely fileless infection chain.
Researchers discover DigitStealer targeting newer Apple Silicon Macs
Security researchers identified a new macOS information stealer dubbed DigitStealer that specifically targets Apple Silicon systems, particularly M2 and later devices, while using anti-analysis, VM checks, and regional filtering to evade detection.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
MacOS DigitStealer malware poses as DynamicLake, targets Apple Silicon M2/M3 devices
helpnetsecurity.com
Open sourceMac users warned about new DigitStealer information stealer
malwarebytes.com
Open sourceAdvanced macOS DigitStealer Targets M2+ Macs, Hijacking Ledger Live via JXA and DNS-Based C2
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
notnullOSX Mac Stealer Targets High-Value Crypto Wallet Holders
Researchers reported a new Go-based macOS stealer and backdoor, **notnullOSX**, being used in highly targeted campaigns against users believed to hold more than **$10,000 in cryptocurrency**. The malware has been linked to the developer previously known as **0xFFF**, later **alh1mik**, and was first detected in Vietnam, Taiwan, and Spain. Operators are distributing it through social-engineering lures including fake protected Google Docs, **ClickFix** terminal-prompt tricks, malicious DMG files, and counterfeit WallSpace wallpaper sites promoted through a likely hijacked YouTube channel. Once victims are persuaded to grant **Full Disk Access**, notnullOSX can steal browser credentials, Safari cookies, iMessage data, Apple Notes, Telegram sessions, crypto wallet files, and developer secrets. Researchers said the malware uses a modular architecture, downloads components from `cdn.filestackcontent.com`, and maintains persistent command-and-control through **Firebase Realtime Database** using SSE, HTTP POST, heartbeat traffic, and WebSocket-style connectivity. One module, **ReplaceApp**, appears designed to swap legitimate wallet tools such as **Ledger Live** or **Trezor** with trojanized versions to capture seed phrases, giving the operation capabilities closer to a remote access trojan than a conventional smash-and-grab stealer.
Apr 23, 2026
Microsoft Warns macOS Infostealer Campaigns Using ClickFix Lures, Malicious DMGs, and Python Stealers
Microsoft reported that **information-stealing malware activity is expanding from Windows to macOS**, driven by campaigns observed since late 2025 that rely on social engineering and cross-platform tooling. The activity includes **ClickFix-style prompts** and **malicious DMG installers** that deliver macOS-focused infostealer families such as **Atomic macOS Stealer (AMOS)**, **MacSync**, and **DigitStealer**, with operators leveraging **fileless execution**, **native macOS utilities**, and **AppleScript automation** to evade defenses and automate collection. Initial access commonly starts with **malicious search ads (e.g., Google Ads)** that redirect users to fake sites impersonating legitimate tools and then trick victims into running “fix” steps or installing trojanized software. The malware is assessed to target high-value data including browser credentials and session cookies, **iCloud Keychain** contents, crypto wallet data, and **developer secrets**; Microsoft also highlighted growing use of **Python-based stealers** distributed via phishing for rapid adaptation across heterogeneous environments, citing **PXA Stealer** (linked to Vietnamese-speaking actors) as an example used in late-2025 campaigns with persistence mechanisms such as registry `Run` keys or scheduled tasks and **Telegram** used for command-and-control.
Mar 21, 2026
MacSync macOS Infostealer Using ClickFix-Style Terminal Paste Lure to Steal Cryptocurrency Data
Security researchers reported a **macOS infostealer** dubbed **MacSync** being distributed as a low-cost **Malware-as-a-Service (MaaS)**, primarily targeting **cryptocurrency users** via a *ClickFix*-style social engineering lure. The campaign uses phishing infrastructure (including domains mimicking **Microsoft login** pages) to redirect victims to a fake macOS *cloud storage installer* site that instructs users to “install” by copying and pasting a **single Terminal command**. This approach relies on user execution rather than a signed app package, allowing the infection chain to **bypass macOS protections** such as **Gatekeeper** and **notarization**. Technical analysis describes a **script-based, multi-stage** infection chain: the pasted one-liner fetches a remote script that installs a **daemonized Zsh loader** which detaches from the Terminal session and runs in the background, then retrieves additional payloads (including **AppleScript**) to perform data theft. Beyond credential and wallet data harvesting, reporting indicates MacSync can **persist and expand impact** by **trojanizing Electron-based cryptocurrency applications** (e.g., *Ledger Live* and *Trezor Suite*) by overwriting components to present convincing phishing flows designed to capture **PINs** and **recovery phrases**, potentially triggering theft well after the initial compromise.
Mar 21, 2026