Microsoft's security team warns that Python-powered infostealer malware now targets macOS devices at scale, marking a significant expansion beyond traditional Windows-focused campaigns.
The company's Defender Security Research Team observed macOS-targeted infostealer campaigns using social engineering techniques like ClickFix since late 2025. Attackers distribute disk image installers that deploy stealer malware families including Atomic macOS Stealer, MacSync, and DigitStealer.
Python-based stealers allow attackers to rapidly adapt, reuse code, and target mixed environments with minimal overhead. Cross-platform languages enable threat actors to manage campaigns across multiple operating systems from a single interface.
Distribution varies by threat type: macOS-specific infostealers like DigitStealer, MacSync, and AMOS primarily spread through Google Ads and fake software installers, while Python-based stealers like PXA Stealer typically distribute via phishing emails.
The attacks use techniques like fileless execution to evade detection while harvesting sensitive data from compromised systems.
Once installed, the malware harvests browser credentials and cookies, session tokens to bypass multi-factor authentication, financial and crypto data, and cloud, developer, and API credentials. Stolen information transmits to attacker servers before infection traces delete.
Microsoft's threat intelligence report challenges the long-held assumption that Apple users enjoy relative immunity from mainstream malware campaigns. The shift reflects growing market share of Apple devices in enterprise environments and the valuable data these systems contain.
"Python-based stealers are being leveraged by attackers to rapidly adapt, reuse code, and target heterogeneous environments with minimal overhead," according to Microsoft's research.
The company notes these threats typically distribute via phishing emails and collect login credentials, session cookies, authentication tokens, credit card numbers, and crypto wallet data.
Compromise by infostealers can lead to data breaches, unauthorized access to internal systems, business email compromise, supply chain attacks, and ransomware attacks. Attack chains involve registry Run keys or scheduled tasks for persistence and Telegram for command-and-control communications.
For enterprise security teams, the cross-platform evolution presents unique challenges. Traditional security architectures often treat macOS endpoints as lower-risk assets, creating blind spots that sophisticated threat actors now actively exploit.
Organizations must implement behavior-based endpoint protection and user awareness training focused on fake installers, updates, and command execution.
Consistent security application across both Windows and macOS environments becomes increasingly critical as threat actors expand their targeting, especially as Microsoft continues to patch critical vulnerabilities across its ecosystem.
