Advanced macOS DigitStealer Uses Multi-Stage Attack Chain to Evade Detection

Jamf Threat Labs has identified a new family of malicious stealers tracked as DigitStealer, representing a significant evolution in macOS-targeted malware.

Unlike traditional infostealers that follow linear execution paths, DigitStealer introduced sophisticated multi-stage attack techniques, extensive anti-analysis checks, and novel persistence mechanisms, demonstrating the threat actors’ deep understanding of macOS architecture.

The DigitStealer campaign begins with a seemingly legitimate application disguised as DynamicLake, a genuine macOS utility.

The malicious payload is distributed through an unsigned disk image titled “DynamicLake.dmg” (SHA-256: 5c73987e642b8f8067c2f2b92af9fd923c25b2ec) hosted on the deceptive domain dynamiclake[.]org.

Unlike the legitimate version signed with Developer Team ID XT766AV9R9, this variant lacks proper code signing and remained completely undetected on VirusTotal at the time of analysis.

The disk image employs the drag-to-terminal technique to override macOS Gatekeeper protections and gain initial code execution.

Notably, the embedded dropper file uses a “.msi” extension typically associated with ...