Infostealers Targeting macOS Users in Active Campaigns to Steal Sensitive Data

MacOS infostealers are becoming a powerful and underappreciated method of data exfiltration in a world where Windows-centric threats predominate. They act as predecessors to ransomware deployments and significant breaches.

These malware variants, often distributed via Malware-as-a-Service (MaaS) models, meticulously harvest sensitive host data, including installed applications, browser-stored credentials, session cookies, and autofill details.

This pilfered information frequently acts as an initial access broker’s commodity, facilitating deeper network compromises or resale to ransomware affiliates.

The Rapid Evolution of macOS-Targeted Infostealers

Recent analyses from Flashpoint’s intelligence team, including Vice President Keisha Hoyt and Senior Hunt Analyst Paul Daubman, reveal a burgeoning ecosystem where strains like Atomic Stealer dominate due to their frequent updates and MaaS accessibility.

Closely related is Poseidon Stealer, which persists post-source code sale, leveraging development lineage from Atomic’s former creators.

Other notables include Cthulu Stealer, another MaaS staple often bundled in campaigns, and Banshee Stealer, an ...