The cybersecurity landscape for macOS users has grown increasingly perilous as new information-stealing malware variants proliferate across underground markets and compromised websites.
Recent advisories from threat intelligence firms and a February 2025 social media post by DarkWebInformer spotlighting a threat actor’s macOS stealer advertisement underscore the urgency of this issue.
These stealers employ sophisticated techniques to bypass macOS security protocols, exfiltrate sensitive data, and monetize stolen credentials through cybercriminal networks.
Atomic macOS Stealer: A Modular Threat
According to the post-DarkWebInformer, atomic macOS Stealer (AMOS), first observed in mid-2023, has evolved into a polymorphic threat distributed via Telegram channels and malvertising campaigns.
The malware targets Keychain passwords, browser autofill data (including credit card information), and cryptocurrency wallets like Electrum and Binance.
Its operators offer a managed service model: For $1,000/month, clients receive a web panel for victim management, custom DMG installers, and Telegram-based log delivery.
Recent iterations leverage Golang to evade detection, with SHA256 hashes like 15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709 associated with “Setup.dmg” payloads.
Distribution occurs through poisoned Google Ads redirecting to fake software installers for Tor Browser, Photoshop, and productivity tools.
MacStealer’s Cross-Platform Exfiltration
Uptycs researchers identified MacStealer in March 2023, marking one of the first macOS stealers using Telegram’s API for command-and-control (C2).
The Python-compiled Mach-O binary harvests documents (.docx, .xlsx), browser cookies from Chrome/Firefox/Brave, and the encrypted Keychain database via a forged System Preferences password prompt.
Attackers deploy it through DMG files mimicking legitimate apps, exploiting Apple’s Gatekeeper bypass workflow requiring users to right-click and select “Open”.
This social engineering tactic has proven effective against Catalina and later macOS versions, including M1/M2 ARM architectures.
FrigidStealer and the Web Inject Epidemic
Proofpoint’s February 2025 report details FrigidStealer, a WailsIO framework-based stealer distributed through TA2726’s traffic distribution system (TDS).
This actor compromises legitimate websites to inject JavaScript that redirects victims based on geolocation and user agent.
North American macOS users receive fake Safari/Chrome update prompts leading to DMG downloads.
The Mach-O payload uses osascript to trigger password dialogs, then scavenges Desktop/Documents folders for credentials, Apple Notes, and crypto wallet data.
Collected information gets packaged into ~/Library/Caches/com.apple.icloud.fmipagent before exfiltration to askforupdate[.]org via HTTPS POST.
Mitigation Requires Layered Defenses
Endpoint detection tools must monitor for unsigned Mach-O files, anomalous osascript executions, and WailsIO process trees.
Network defenses should block connections to TDS domains like cdn-protect[.]org and C2 servers. Enterprises are advised to enforce browser isolation policies, restrict DMG installations, and conduct phishing simulations highlighting fake update risks.
Palo Alto Networks’ Q4 2024 data shows a 101% quarterly increase in macOS infostealer activity, underscoring the need for proactive measures.
As threat actors refine cross-platform attack chains, macOS users can no longer rely on perceived security advantages.
The convergence of underground malware marketplaces, Telegram-based C2, and compromised update mechanisms creates a perfect storm demanding heightened vigilance across both consumer and enterprise environments.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=These stealers employ techniques to bypass macOS security protocols, exfiltrate sensitive data, and monetize stolen credentials through cybercriminal networks.){kind=link}