Apple macOS Users Beware: Rising Infostealer Attacks Can Skim Off Your Passwords, Cause Monetary Loss

An increasing number of infostealer attacks targeting macOS users have been recently identified, which have the potential of exfiltrating sensitive credentials, financial records and intellectual property and lead to data breaches, financial losses and reputational damage. 

These attacks—discovered by cybersecurity company Palo Alto Networks—include three particularly prevalent macOS infostealers, identified as Poseidon, Atomic and Cthulhu.

According to a recent review of these attacks, infostealers accounted for the largest group of new macOS malware in 2024. Between the final two quarters of 2024, Palo Alto Networks detected more than 100% spike in macOS infostealers.

Given their restricted capabilities in comparison to, say, remote access Trojans, infostealers may be seen as a less concerning threat. However, they can steal confidential passwords, intellectual property, and financial details, including payment card numbers, bank account information, and cryptocurrency wallets. Infostealers frequently cause data breaches, monetary losses, and harm to reputation, along with providing initial access for further attacks, such as ransomware deployment.

Atomic Stealer: The operators of Atomic Stealer typically use malvertising to spread malware, which can steal Note files from the macOS Notes application and documents, browser data (passwords and cookies), cryptocurrency wallets, and instant messaging data (e.g., Discord, Telegram). In one case, the infostealer, disguised as a legitimate installation file, attempted to access Google Chrome login credentials.

Poseidon Stealer: Poseidon Stealer operators usually spread malware using malicious spam emails and Google advertisements. The malicious installer contains an encoded AppleScript file, which is decoded and installed. It then gathers system information, steals browser passwords, cookies, cryptocurrency wallets, user credentials and Notes, and collects Telegram data too.

Cthulhu Stealer: The Cthulhu Stealer presents a fake dialog box requesting a system update, asking for a password and then a MetaMask (software cryptocurrency wallet) password too. It targets browser data for Google Chrome, Microsoft Edge, and Firefox, cryptocurrency wallets, FileZilla configuration files, Telegram data, Notes, Keychain and SafeStorage passwords, and files such as .png, .jpeg, .doc, and .pdf.

According to Palo Alto Networks, infostealers are critical threat because they have the potential to serve as a gateway for further malicious activities in addition to the direct theft they can accomplish. An infostealer breach, for instance, might eventually result in the distribution of ransomware.

The company added that detecting and thwarting these threats can be made easier with the use of macOS detection modules. These modules can help identify the techniques infostealers use to acquire sensitive credentials along with malicious ways threat actors can use AppleScript, which can help protect against potential attacks.