A sweeping new analysis by the Microsoft Defender Security Research Team shows a rapid evolution in information stealers, now expanding beyond Windows to target macOS and using cross‑platform languages such as Python. The report highlights campaigns that abuse trusted platforms and utilities to silently deliver credential‑stealing malware at scale, including fake installers and “ClickFix” social‑engineering tactics.
One notable threat is a fake application called Crystal PDF, which lured victims in September 2025 through malvertising and SEO poisoning on Google Ads, then established persistence and hijacked Firefox and Chrome to access sensitive files. Another standout is the Eternidade Stealer, a Delphi‑based malware that spreads via a worm‑like infection chain and weaponises WhatsApp, using a Python script that leverages WPPConnect to automate message sending from hijacked accounts to contact lists.
Once on a system, Eternidade monitors active windows and processes for banking portals and crypto sites, ready to exfiltrate cookies, session data and credential caches.