MICROSOFT has warned that information-stealing attacks are expanding beyond Windows to target Apple macOS environments by using cross‑platform languages like Python and abusing trusted platforms for distribution at scale. According to Microsoft, macOS‑targeted infostealer campaigns have used social engineering such as ClickFix since late 2025 to distribute DMG installers that deploy stealer families including AMOS (Atomic macOS Stealer), MacSync, and DigitStealer.
The campaigns employ techniques such as fileless execution, native macOS utilities, and AppleScript automation to steal data such as web browser credentials, iCloud Keychain, and developer secrets. The campaigns typically begin with malicious ads—often served through Google Ads—that redirect users to fake sites featuring ClickFix lures to infect their machines.
One identified threat, PXA Stealer, was linked to Vietnamese‑speaking actors, with two campaigns in October 2025 and December 2025 that used phishing emails for initial access, while other campaigns have utilised Run keys, scheduled tasks, and Telegram for C2 and exfiltration.