Jamf Threat Labs has identified a new wave of undetected macOS infostealer samples, leveraging the legitimate open-source utility PyInstaller to embed Python-based malware within Mach-O executables.
This marks a pivotal shift in attacker methodologies, demonstrating the first observed use of PyInstaller for packaging and distributing infostealers targeting macOS devices.
PyInstaller, commonly used for generating standalone executables from Python code, enables scripts to run independently of a system-installed Python interpreter-a critical capability after Apple discontinued pre-bundled Python support with macOS 12.3.
While this aids cross-platform software development, adversaries are now co-opting PyInstaller to deliver macOS-native threats.
Jamf’s analysis identified several undetected infostealer variants circulating on VirusTotal since early 2025, with all samples employing the same fundamental technique.
Technical Dissection of the Threat
The initial sample, named “stl”, revealed itself through several behavioral red flags: triggering AppleScript password dialogs, invoking tccutil reset AppleEvents, executing scripts via /usr/bin/osascript, and communicating with command-and-control (C2) domains ending in /connect.
Static analysis confirmed the executable was an ad-hoc signed Mach-O FAT binary, supporting both x86_64 and arm64 architectures-an increasingly common practice to ensure compatibility across Apple Silicon and Intel-based Macs.
Signature strings, such as _MEIPASS, pointed directly to PyInstaller usage. In operation, the PyInstaller bootloader extracts its embedded archive into a temporary working directory (e.g., _MEIxxxxxx) before launching its internal Python interpreter.
This package includes compiled Python bytecode (.pyc), standard libraries, and any necessary shared objects.
Further examination of the binary’s architecture via the lipo utility identified the PyInstaller archive embedded exclusively within the arm64 slice, with the corresponding Intel binary lacking the archive and thus failing to operate in isolation.
This architecture-specific packaging ensures that only native execution environments will fully realize the malware’s functionality.
Dynamic Analysis and Data Exfiltration
Upon execution, dynamic analysis tools such as Red Canary’s Mac Monitor captured multiple process events, especially the use of osascript to display convincing password prompts in an effort to harvest user credentials.
Critically, the malware does not spawn a visible Python process, instead relying on the PyInstaller bootloader’s environment variables, such as _PYI_APPLICATION_HOME_DIR and _PYI_ARCHIVE_FILE, to orchestrate its operations from memory and disk-resident temporary directories.
The infostealer’s logic is implemented in obfuscated Python bytecode, which is extracted using open-source tools like Pyinstxtractor.
The bytecode, after decompilation through PyLingual, is revealed to be protected by a mix of string reversal, base85 encoding, XOR encryption (key: 188), and zlib compression. This multilayered obfuscation hinders both static and dynamic analysis.
Functionality embedded within the decrypted code includes credential theft via AppleScript prompts (GetPasswordModal()), execution of attacker-supplied AppleScripts, direct Keychain extraction (DumpKeychain()), and targeting of local cryptocurrency wallets (CollectCryptowallets()). Collected data and credentials are systematically exfiltrated to attacker-controlled infrastructure.
This campaign underscores a growing sophistication among macOS threat actors, who are now capable of bypassing both detection and compatibility hurdles by leveraging benign tools like PyInstaller.
The blending of legitimate development practices and advanced obfuscation makes static and heuristic analysis far more challenging for defenders.
Security teams are advised to monitor for unusual executable packaging (especially Mach-O binaries embedded with PyInstaller archives), as well as suspicious AppleScript activity and network communications to known malicious domains.
Regular review of endpoint security telemetry and behavioral analytics remains crucial.
Indicators of Compromise (IOCs)
| Filename | SHA1 | Contacted Domains |
|---|---|---|
| stl | 35ce8d5817ab7a7c5be33ea03c3234181286fd61 | hxxps://grand-flash[.]com/connect |
| hxxp://vapotrust[.]com/mac/stl | ||
| stl-deobf.py | cd2ef119c9120ea56548f5cf0a3ff7d6ffc7613a | |
| installer | 878dcf854287e1dae3d5a55279df87eb6bdf96b3 | hxxps://grand-flash[.]com/connect |
| sosorry | 90d33f249573652106a2b9b3466323c436da9403 | hxxp://138[.]68[.]93[.]230/connect |
| hxxp://138[.]68[.]93[.]230/Ledger-Live.dmg |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
