Fake apps, familiar links, and traps targeting macOS users
A wave of attack campaigns targeting MacOS users continues to rise, aiming to steal sensitive data from users worldwide.
Overview
In recent years, macOS has often been seen as a platform less targeted by malware, largely due to Apple's strict security architecture and closed ecosystem. However, that picture is changing rapidly. Recent research from Microsoft Defender Security Research shows a new wave of infostealers actively targeting macOS users, with a wide range and increasingly practical techniques.
Instead of exploiting complex zero-day vulnerabilities, these campaigns focus on social engineering, fake applications, and abusing familiar platforms like WhatsApp to spread malware. Infostealers are developed using cross-platform languages like Python, allowing attackers to easily deploy the same attack model across multiple operating systems, from Windows to macOS.
The goal of these campaigns is not just to steal passwords but also to target session cookies, authentication tokens, cryptocurrency wallet information, and browser data, which can lead to account takeover without needing to know the password. This makes infostealers a particularly dangerous threat as users increasingly rely on cloud services and single sign-on (SSO).
Main Impact
Loss of account control without password exposure
High financial and cryptocurrency risk
Opens the door for further attacks
Increased risk of spreading among user communities
Significant challenge for detection and response
Campaign Details
As mentioned earlier, attackers carry out this campaign using social engineering techniques, where they use two main and parallel distribution channels:
Fake websites & malicious ads
Attackers have exploited Google Ads and SEO poisoning to push fake websites to the top of search results: PDF tools, AI applications, or utility software for macOS.
Users are then tricked into downloading malicious
dmgfiles.
Spread through WhatsApp (Trusted Channel Abuse)
To meet the conditions for this spread, the attacker needs to have a WhatsApp account that has been taken over or leaked on information trading forums.
Once they have access, they send malicious link/ZIP/DMG files to all contacts with urgent or familiar content. This is the campaign amplification point, helping the malware spread quickly through trusted social networks.
Right after downloading the malicious dmg files to the workstation, users are instructed to:
Open
DMG.Run the fake installer.
Or copy–paste commands into Terminal (ClickFix technique).
The clever part of this stage is that there are no attack techniques involved; it runs through the user's own actions by granting execution permissions themselves.
After the user opens the fake application (dragged from the DMG into /Applications), the application could be:
A fake
.appbundle (containing a Python script or shell script).A thin binary (wrapper) just to call the malicious script.
At this point, the user actively clicks Open, unintentionally bypassing Gatekeeper. Immediately after running, the malware will call one of the following components to continue the exploitation process:
python3,pythonw./bin/bashor/bin/zsh.AppleScript (
osascript).
The main payload is usually:
Embedded in the app bundle (base64 / AES-encrypted)
Or dynamically loaded from C2/CDN (GitHub, Discord CDN, Cloudflare R2…)
After the payload is decrypted by the loader, it writes to temporary directories:
/tmp/~/Library/Application Support/~/Library/Caches/
Its first task is to check the victim's machine environment, such as the macOS version and access permissions, before continuing with further exploitation steps. Another point is that the malware also checks if it is running in a VM or sandbox.
If it detects an analysis environment:
The payload exits on its own
Or runs in "clean mode" (does not steal)
After completing the checks, Infostealer begins collecting high-value data, especially session tokens, which can allow account takeover without needing a password or bypassing MFA - extremely dangerous.
macOS Keychain.
Browser cookies & session tokens.
Saved passwords.
Crypto wallets & related extensions.
System information (HWID, OS version).
For any attack, once the data is compressed and encrypted, the attackers send it back to the C2 Server using common protocols: HTTPS or curl POST request.
The post-exploitation processes are then executed. With the victim's sensitive information, the attacker may sell it on the dark web or use it to take over emails for phishing. WhatsApp can be reused to spread malware.
The victim's machine can also be used to install additional RAT. The user's workstation then becomes an effective stepping stone for long-term campaigns in the future.
Conclusion
The infostealer without borders campaign clearly shows: macOS is no longer outside the realm of cybercrime. Instead of exploiting complex technical vulnerabilities, attackers are choosing a more effective path - exploiting user trust, familiar platforms like WhatsApp, and seemingly "harmless" applications.
The concern is not the sophistication of the malware, but that many successful attacks only require one wrong click. When an infostealer can steal login sessions, cookies, and access keys, the line between a "personal computer" and "important digital assets" almost disappears.
Recommendations
CHANGE USER HABITS
Do not install apps from links sent via WhatsApp / Telegram / Messenger
Do not run Terminal commands "as instructed by websites"
Do not disable Gatekeeper / SIP just to install software
Do not trust Google Ads for free software
Quick check before installing software (macOS)
Check the app signature
codesign -dv --verbose=4 /path/to/App.appBe cautious if:
There is no Developer ID
The Developer ID is unfamiliar / newly created
The app requests unreasonable permissions
PROTECT ACCOUNTS & IMPORTANT DATA
Enable MFA for all accounts:
Email
Apple ID
Crypto wallets / exchanges
Use a password manager (1Password, Bitwarden…)
For browsers
Clear cookies regularly
Do not install extensions from unknown sources
Check if extensions have "all sites" access → remove immediately if suspicious
PREVENT SPREAD THROUGH WHATSAPP
Turn off auto-download for files
Verify through another channel (direct call)
IOCs
Malicious Domain
Negmari[.]com
Ramiort[.]com
Strongdwn[.]com
bagumedios[.]cloud
day.foqguzz[.]com
ai[.]foqguzz[.]com
alli-ai[.]pro
barbermoo[.]coupons
barbermoo[.]fun
barbermoo[.]shop
barbermoo[.]space
barbermoo[.]today
barbermoo[.]top
barbermoo[.]world
barbermoo[.]xyz
67e5143a9ca7d2240c137ef80f2641d6[.]pages[.]dev
b93b559cf522386018e24069ff1a8b7a[.]pages[.]dev
goldenticketsshop[.]com
booksmagazinetx[.]com
dynamiclake[.]org
C2
217.119.139[.]117
157[.]66[.]27[.]11
195.24.236[.]116
Hash
3e20ddb90291ac17cef9913edd5ba91cd95437da86e396757c9d871a82b1282a
da99f7570b37ddb3d4ed650bc33fa9fbfb883753b2c212704c10f2df12c19f63
42d51feea16eac568989ab73906bbfdd41641ee3752596393a875f85ecf06417
2c885d1709e2ebfcaa81e998d199b29e982a7559b9d72e5db0e70bf31b183a5f
6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1
3bd6a6b24b41ba7f58938e6eb48345119bbaf38cd89123906869fab179f27433
5d929876190a0bab69aea3f87988b9d73713960969b193386ff50c1b5ffeadd6
bdd2b7236a110b04c288380ad56e8d7909411da93eed2921301206de0cb0dda1
495697717be4a80c9db9fe2dbb40c57d4811ffe5ebceb9375666066b3dda73c3
de07516f39845fb91d9b4f78abeb32933f39282540f8920fe6508057eedcbbea
598da788600747cf3fa1f25cb4fa1e029eca1442316709c137690e645a0872bb
c72f8207ce7aebf78c5b672b65aebc6e1b09d00a85100738aabb03d95d0e6a95
Url
hxxps://erik22jomk77[.]card.co
hxxps[:]//empautlipa[.]com/altor/installer[.]msi
