top of page
perceptive_background_267k.jpg

Microsoft Warns Python Infostealers Target macOS via Fake Ads and Installers

Published:

4 February 2026 at 07:42:00

Alert date:

4 February 2026 at 09:00:42

Source:

thehackernews.com

Click to open the original link from this advisory

Operating Systems, Ransomware & Malware, Data Breach & Exfiltration, Email & Messaging

Microsoft's Defender Security Research Team has identified a rapidly expanding threat where information-stealing attacks are moving beyond Windows to target Apple macOS environments. The attacks leverage cross-platform languages like Python and abuse trusted platforms for large-scale distribution. The campaigns employ social engineering techniques including ClickFix methods to compromise macOS systems. This represents a significant shift in the threat landscape as cybercriminals expand their targeting beyond traditional Windows environments to include Apple's operating system.

Technical details

Python-based infostealers are targeting macOS using social engineering techniques like ClickFix to distribute disk image (DMG) installers. The attacks use fileless execution, native macOS utilities, and AppleScript automation to steal web browser credentials, session data, iCloud Keychain, and developer secrets. Distribution occurs through malicious Google Ads redirecting to fake sites, phishing emails, and weaponized messaging apps like WhatsApp. Attack chains use registry Run keys or scheduled tasks for persistence and Telegram for command-and-control communications and data exfiltration.

Mitigation steps:

Educate users on social engineering attacks like malvertising redirect chains, fake installers, and ClickFix-style copy-paste prompts
Monitor for suspicious Terminal activity and access to the iCloud Keychain
Inspect network egress for POST requests to newly registered or suspicious domains

Affected products:

macOS
DynamicLake
Mozilla Firefox
Chrome browsers
iCloud Keychain
WhatsApp
Crystal PDF
Google Ads

Related links:

https://thehackernews.com/2026/01/clickfix-attacks-expand-using-fake.html
https://thehackernews.com/2025/06/new-atomic-macos-stealer-campaign.html
https://thehackernews.com/2025/12/new-macsync-macos-stealer-uses-signed.html
https://thehackernews.com/2025/11/weekly-recap-fortinet-exploited-chinas.html#:~:text=New%20DigitStealer%20macOS%20Malware%20Spotted
https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/
https://thehackernews.com/2025/08/vietnamese-hackers-use-pxa-stealer-hit.html
https://thehackernews.com/2025/11/python-based-whatsapp-worm-spreads.html

Related CVE's:

Related threat actors:

IOC's:

Atomic macOS Stealer (AMOS), MacSync, DigitStealer, PXA Stealer, Eternidade Stealer, Crystal PDF fake editor, DMG installer files, ClickFix lures, POST requests to newly registered or suspicious domains, Suspicious Terminal activity, Telegram C&C communications

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page