Do Son 
A sweeping new analysis by the Microsoft Defender Security Research Team reveals a rapidly evolution in the world of information stealers. These digital pickpockets are no longer just targeting PC users; they are aggressively expanding into the macOS ecosystem, weaponizing cross-platform languages like Python, and hiding inside tools as mundane as PDF editors and messaging apps.
The researchers note, “Infostealer threats are rapidly expanding beyond traditional Windows-focused campaigns, increasingly targeting macOS environments, leveraging cross-platform languages such as Python, and abusing trusted platforms and utilities to silently deliver credential-stealing malware at scale”.
For years, macOS users enjoyed a reputation for relative safety. That sanctuary is now being besieged. Since late 2025, Microsoft has tracked a surge in campaigns specifically designed to crack the Apple ecosystem.
Attackers are using “ClickFix” social engineering tactics and fake installers to deploy specialized malware like DigitStealer, MacSync, and the notorious Atomic macOS Stealer (AMOS).
These aren’t lazy ports of Windows viruses; they are native threats. The report highlights that “These campaigns leverage fileless execution, native macOS utilities, and AppleScript automation to harvest credentials, session data, secrets from browsers, keychains, and developer environments”. By “living off the land,” attackers can drain a user’s digital life without triggering traditional alarms.
One of the most insidious campaigns detailed in the report involves a fake application called Crystal PDF. masquerading as a helpful productivity tool, this malware lured victims in September 2025 through “malvertising” and SEO poisoning on Google Ads.
Once installed, the trap snaps shut. “When executed, CrystalPDF.exe establishes persistence via scheduled tasks and functions as an information stealer, covertly hijacking Firefox and Chrome browsers to access sensitive files in AppData\Roaming,” the report explains.
The malware ruthlessly targets cookies, session data, and credential caches, turning a user’s browser history into an open book for hackers.
Perhaps the most creativeβand destructiveβthreat identified is the Eternidade Stealer. This Delphi-based malware acts like a digital parasite, spreading through a worm-like infection chain that starts with an obfuscated Visual Basic script.
But its delivery mechanism is what stands out: it weaponizes WhatsApp.
The malware includes a Python script that “leverages WPPConnect to automate message sending from hijacked WhatsApp accounts, harvests the victim’s contact list, and sends malicious attachments to all contacts using predefined messaging templates”.
Once it lands on a new victim’s machine, Eternidade begins its real work: watching. It “continuously monitors active windows and running processes for strings associated with banking portals, payment services, and cryptocurrency exchanges,” waiting for the user to log into sites like Binance, Coinbase, or Stripe before striking.
As the threat landscape shifts, the researchers warn that attackers are now able to “target heterogeneous environments with minimal overhead,” making every deviceβregardless of OSβa potential target.
Related Posts:
- Eternidade Stealer: New Python WhatsApp Worm Uses IMAP Email for Covert C2 and Brazilian Bank Overlays
- Malicious PDFs Used in Large-Scale Phishing Operation
- CISA Flags Two Actively Exploited Vulnerabilities: TP-Link Router Reset Flaw and WhatsApp Zero-Day Chain
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
