Microsoft warned that information theft attacks are “rapidly expanding” beyond Windows to target Apple’s macOS environment by leveraging cross-platform languages such as Python and abusing trusted platforms for large-scale distribution.
The tech giant’s Defender Security Research team said it has observed information stealer campaigns targeting macOS since late 2025 using social engineering techniques such as ClickFix to distribute disk image (DMG) installers that deploy stealer malware families such as Atomic macOS Stealer (AMOS), MacSync, and DigitStealer.
The campaign has been found to use techniques such as fileless execution, native macOS utilities, and AppleScript automation to facilitate data theft. This includes details such as web browser credentials and session data, iCloud keychain, and developer secrets.
The starting point for these attacks is often malicious ads served through Google Ads. The ad redirects users searching for tools like DynamicLake and artificial intelligence (AI) tools to a fake site that uses the ClickFix lure to trick users into infecting their machines with malware.
“Python-based stealers are utilized by attackers to rapidly adapt, reuse, and target disparate environments with minimal overhead,” Microsoft said. “These are typically distributed via phishing emails and collect login credentials, session cookies, authentication tokens, credit card numbers, and crypto wallet data.”
One such stealer is the PXA Stealer. It is linked to Vietnamese-speaking attackers and can collect login credentials, financial information, and browser data. The Windows maker announced that it has identified two PXA Stealer campaigns in October 2025 and December 2025 that used phishing emails for initial access.
The attack chain included the use of registry execution keys or scheduled tasks for persistence and the use of Telegrams for command-and-control communications and data exfiltration.
Additionally, malicious actors have been observed weaponizing popular messaging apps such as WhatsApp to distribute malware such as Eternidade Stealer and gain access to financial and cryptocurrency accounts. Details of the campaign were publicly documented by LevelBlue/Trustwave in November 2025.
Other stealer-related attacks revolve around fake PDF editors such as Crystal PDF, distributed via malvertising and search engine optimization (SEO) poisoning through Google ads, and deploying Windows-based stealers that can covertly collect cookies, session data, and credential caches from Mozilla Firefox and Chrome browsers.
To combat the threat of information theft, organizations are encouraged to educate users about social engineering attacks such as malvertising redirect chains, fake installers, and ClickFix-style copy-and-paste prompts. We also recommend monitoring suspicious terminal activity and iCloud Keychain access, and inspecting network output for POST requests to newly registered or suspicious domains.
“Breaches by information thieves can lead to data breaches, unauthorized access to internal systems, business email compromise (BEC), supply chain attacks, and ransomware attacks,” Microsoft said.
Source link
