INFOSTEALER threats are expanding beyond Windows to target macOS, with cross‑platform languages like Python being leveraged and trusted platforms and utilities abused to deliver credential‑stealing malware at scale, according to Microsoft Defender Security Research Team. Since late 2025, macOS‑targeted infostealer campaigns have used social engineering—including ClickFix‑style prompts and malicious DMG installers—to deploy macOS stealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS).
These campaigns use fileless execution and native macOS utilities, including AppleScript, to harvest credentials, browser data, and developer secrets, while Python‑based stealers are being deployed to rapidly adapt and cope with heterogeneous environments. attackers also abuse WhatsApp and PDF tools to spread malware, for example Eternidade Stealer delivered via WhatsApp campaigns and a Crystal PDF installer campaign that impersonates a PDF editor.
The report outlines mitigation and protection guidance and notes Microsoft Defender XDR detections and indicators of compromise for these evolving threats.