Infostealer threats are rapidly expanding beyond traditional Windows-focused campaigns, increasingly targeting macOS environments, leveraging cross-platform languages such as Python, and abusing trusted platforms and utilities to silently deliver credential-stealing malware at scale. Since late 2025, Microsoft Defender Experts has observed macOS targeted infostealer campaigns using social engineering techniques—including ClickFix-style prompts and malicious DMG installers—to deploy macOS-specific infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). 

These campaigns leverage fileless execution, native macOS utilities, and AppleScript automation to harvest credentials, session data, secrets from browsers, keychains, and developer environments. Simultaneously, Python-based stealers are being leveraged by attackers to rapidly adapt, reuse code, and target heterogeneous environments with minimal overhead. Other threat actors are abusing trusted platforms and utilities—including WhatsApp and PDF converter tools—to distribute malware like Eternidade Stealer and gain access to financial and cryptocurrency accounts.

This blog examines how modern infostealers operate across operating systems and delivery channels by blending into legitimate ecosystems and evading conventional defenses. We provide comprehensive detection coverage through Microsoft Defender XDR and actionable guidance to help organizations detect, mitigate, and respond to these evolving threats. 

Activity overview 

macOS users are being targeted through fake software and browser tricks 

Mac users are encountering deceptive websites—often through Google Ads or malicious advertisements—that either prompt them to download fake applications or instruct them to copy and paste commands into their Terminal. These “ClickFix” style attacks trick users into downloading malware that steals browser passwords, cryptocurrency wallets, cloud credentials, and developer access keys. 

Three major Mac-focused stealer campaigns include DigitStealer (distributed through fake DynamicLake software), MacSync (delivered via copy-paste Terminal commands), and Atomic Stealer (using fake AI tool installers). All three harvest the same types of data—browser credentials, saved passwords, cryptocurrency wallet information, and developer secrets—then send everything to attacker servers before deleting traces of the infection. 

Stolen credentials enable account takeovers across banking, email, social media, and corporate cloud services. Cryptocurrency wallet theft can result in immediate financial loss. For businesses, compromised developer credentials can provide attackers with access to source code, cloud infrastructure, and customer data. 

Phishing campaigns are delivering Python-based stealers to organizations 

The proliferation of Python information stealers has become an escalating concern. This gravitation towards Python is driven by ease of use and the availability of tools and frameworks allowing quick development, even for individuals with limited coding knowledge. Due to this, Microsoft Defender Experts observed multiple Python-based infostealer campaigns over the past year. They are typically distributed via phishing emails and collect login credentials, session cookies, authentication tokens, credit card numbers, and crypto wallet data.

PXA Stealer, one of the most notable Python-based infostealers seen in 2025, harvests sensitive data including login credentials, financial information, and browser data. Linked to Vietnamese-speaking threat actors, it targets government and education entities through phishing campaigns. In October 2025 and December 2025, Microsoft Defender Experts investigated two PXA Stealer campaigns that used phishing emails for initial access, established persistence via registry Run keys or scheduled tasks, downloaded payloads from remote locations, collected sensitive information, and exfiltrated the data via Telegram. To evade detection, we observed the use of legitimate services such as Telegram for command-and-control communications, obfuscated Python scripts, malicious DLLs being sideloaded, Python interpreter masquerading as a system process (i.e., svchost.exe), and the use of signed and living off the land binaries.

Due to the growing threat of Python-based infostealers, it is important that organizations protect their environment by being aware of the tactics, techniques, and procedures used by the threat actors who deploy this type of malware. Being compromised by infostealers can lead to data breaches, unauthorized access to internal systems, business email compromise (BEC), supply chain attacks, and ransomware attacks.

Attackers are weaponizing WhatsApp and PDF tools to spread infostealers 

Since late 2025, platform abuse has become an increasingly prevalent tactic wherein adversaries deliberately exploit the legitimacy, scale, and user trust associated with widely used applications and services. 

WhatsApp Abused to Deliver Eternidade Stealer: During November 2025, Microsoft Defender Experts identified a WhatsApp platform abuse campaign leveraging multi-stage infection and worm-like propagation to distribute malware. The activity begins with an obfuscated Visual Basic script that drops a malicious batch file launching PowerShell instances to download payloads.

One of the payloads is a Python script that establishes communication with a remote server and leverages WPPConnect to automate message sending from hijacked WhatsApp accounts, harvests the victim’s contact list, and sends malicious attachments to all contacts using predefined messaging templates. Another payload is a malicious MSI installer that ultimately delivers Eternidade Stealer, a Delphi-based credential stealer that continuously monitors active windows and running processes for strings associated with banking portals, payment services, and cryptocurrency exchanges including Bradesco, BTG Pactual, MercadoPago, Stripe, Binance, Coinbase, MetaMask, and Trust Wallet.

Malicious Crystal PDF installer campaign: In September 2025, Microsoft Defender Experts discovered a malicious campaign centered on an application masquerading as a PDF editor named Crystal PDF. The campaign leveraged malvertising and SEO poisoning through Google Ads to lure users. When executed, CrystalPDF.exe establishes persistence via scheduled tasks and functions as an information stealer, covertly hijacking Firefox and Chrome browsers to access sensitive files in AppData\Roaming, including cookies, session data, and credential caches.

Mitigation and protection guidance 

Microsoft recommends the following mitigations to reduce the impact of the macOS‑focused, Python‑based, and platform‑abuse infostealer threats discussed in this report. These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR. 

Organizations can follow these recommendations to mitigate threats associated with this threat:             

Strengthen user awareness & execution safeguards 

• Educate users on social‑engineering lures, including malvertising redirect chains, fake installers, and ClickFix‑style copy‑paste prompts common across macOS stealer campaigns such as DigitStealer, MacSync, and AMOS. 

• Discourage installation of unsigned DMGs or unofficial “terminal‑fix” utilities; reinforce safe‑download practices for consumer and enterprise macOS systems. 

Harden macOS environments against native tool abuse 

• Monitor for suspicious Terminal activity—especially execution flows involving curl, Base64 decoding, gunzip, osascript, or JXA invocation, which appear across all three macOS stealers. 

• Detect patterns of fileless execution, such as in‑memory pipelines using curl | base64 -d | gunzip, or AppleScript‑driven system discovery and credential harvesting. 

• Leverage Defender’s custom detection rules to alert on abnormal access to Keychain, browser credential stores, and cloud/developer artifacts, including SSH keys, Kubernetes configs, AWS credentials, and wallet data. 

Control outbound traffic & staging behavior 

• Inspect network egress for POST requests to newly registered or suspicious domains—a key indicator for DigitStealer, MacSync, AMOS, and Python‑based stealer campaigns. 

• Detect transient creation of ZIP archives under /tmp or similar ephemeral directories, followed by outbound exfiltration attempts. 

• Block direct access to known C2 infrastructure where possible, informed by your organization’s threat‑intelligence sources. 

Protect against Python-based stealers & cross-platform payloads 

• Harden endpoint defenses around LOLBIN abuse, such as certutil.exe decoding malicious payloads. 

• Evaluate activity involving AutoIt and process hollowing, common in platform‑abuse campaigns. 

Microsoft also recommends the following mitigations to reduce the impact of this threat: 

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. 

• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. 

• Enable network protection and web protection in Microsoft Defender for Endpoint to safeguard against malicious sites and internet-based threats. 

• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. 

• Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. 

• Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions. 

• Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against LOLBAS techniques used by threat actors: 
  • Block execution of potentially obfuscated scripts 
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
  • Block JavaScript or VBScript from launching downloaded executable content 

Microsoft Defender XDR detections 

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog. 

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.  

Threat intelligence reports 

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. 

Microsoft Defender XDR Threat analytics   

• From ClickFix to code signed: the quiet shift of MacSync Stealer malware
• Malicious Crystal PDF installer campaign

Hunting queries   

Microsoft Defender XDR  

Microsoft Defender XDR customers can run the following queries to find related activity in their networks: 

Use the following queries to identify activity related to DigitStealer 

// Identify suspicious DynamicLake disk image (.dmg) mounting 
DeviceProcessEvents 
| where FileName has_any ('mount_hfs', 'mount') 
| where ProcessCommandLine has_all ('-o nodev' , '-o quarantine') 
| where ProcessCommandLine contains '/Volumes/Install DynamicLake' 

 
// Identify data exfiltration to DigitStealer C2 API endpoints. 
DeviceProcessEvents 
| where InitiatingProcessFileName has_any ('bash', 'sh') 
| where ProcessCommandLine has_all ('curl', '--retry 10') 
| where ProcessCommandLine contains 'hwid=' 
| where ProcessCommandLine endswith "api/credentials" 
        or ProcessCommandLine endswith "api/grabber" 
        or ProcessCommandLine endswith "api/log" 
| extend APIEndpoint = extract(@"/api/([^\s]+)", 1, ProcessCommandLine) 

Use the following queries to identify activity related to MacSync

// Identify exfiltration of staged data via curl 
DeviceProcessEvents 
| where InitiatingProcessFileName =~ "zsh" and FileName =~ "curl" 
| where ProcessCommandLine has_all ("curl -k -X POST -H", "api-key: ", "--max-time", "-F file=@/tmp/", ".zip", "-F buildtxd=") 

Use the following queries to identify activity related to Atomic Stealer (AMOS)

// Identify suspicious AlliAi disk image (.dmg) mounting  
DeviceProcessEvents  
| where FileName has_any ('mount_hfs', 'mount') 
| where ProcessCommandLine has_all ('-o nodev', '-o quarantine')  
| where ProcessCommandLine contains '/Volumes/ALLI' 

Use the following queries to identify activity related to PXA Stealer: Campaign 1

// Identify activity initiated by renamed python binary 
DeviceProcessEvents 
| where InitiatingProcessFileName endswith "svchost.exe" 
| where InitiatingProcessVersionInfoOriginalFileName == "pythonw.exe" 

// Identify network connections initiated by renamed python binary 
DeviceNetworkEvents 
| where InitiatingProcessFileName endswith "svchost.exe" 
| where InitiatingProcessVersionInfoOriginalFileName == "pythonw.exe" 

Use the following queries to identify activity related to PXA Stealer: Campaign 2

// Identify malicious Process Execution activity 
DeviceProcessEvents 
 | where ProcessCommandLine  has_all ("-y","x",@"C:","Users","Public", ".pdf") and ProcessCommandLine  has_any (".jpg",".png") 

// Identify suspicious process injection activity 
DeviceProcessEvents 
 | where FileName == "cvtres.exe" 
 | where InitiatingProcessFileName has "svchost.exe" 
 | where InitiatingProcessFolderPath !contains "system32" 

Use the following queries to identify activity related to WhatsApp Abused to Deliver Eternidade Stealer

// Identify the files dropped from the malicious VBS execution 
DeviceFileEvents 
| where InitiatingProcessCommandLine has_all ("Downloads",".vbs") 
| where FileName has_any (".zip",".lnk",".bat") and FolderPath has_all ("\\Temp\\") 

// Identify batch script launching powershell instances to drop payloads 
DeviceProcessEvents 
| where InitiatingProcessParentFileName == "wscript.exe" and InitiatingProcessCommandLine  has_any ("instalar.bat","python_install.bat") 
| where ProcessCommandLine !has "conhost.exe" 
 
// Identify AutoIT executable invoking malicious AutoIT script 
DeviceProcessEvents 
| where InitiatingProcessCommandLine   has ".log" and InitiatingProcessVersionInfoOriginalFileName == "Autoit3.exe" 

Use the following queries to identify activity related to Malicious CrystalPDF Installer Campaign

// Identify network connections to C2 domains 
DeviceNetworkEvents 
| where InitiatingProcessVersionInfoOriginalFileName == "CrystalPDF.exe" 

// Identify scheduled task persistence 
DeviceEvents 
| where InitiatingProcessVersionInfoProductName == "CrystalPDF" 
| where ActionType == "ScheduledTaskCreated 

Indicators of compromise 

Microsoft Sentinel  

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.   

References  

• MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware — Jamf Threat Labs  
• Infostealers Strike Again: Malicious Installers Pass Through EDRs Undetected 
• SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp 
• A Vietnamese threat actor’s shift from PXA Stealer to PureRAT | Huntress 
• Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem | SentinelOne 
• Information-Stealing Malware Distribution Campaign Using Emails Disguised as Copyright Infringement Notices – wizSafe Security Signal -Guideposts to Safety and Security- IIJ 

Learn more   

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.  

Learn more about securing Copilot Studio agents with Microsoft Defender 

Learn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps | Microsoft Learn  

Explore how to build and customize agents with Copilot Studio Agent Builder