macOS Malware Surge Signals New Infostealer Arms Race

Once dismissed as a niche threat, macOS infostealers are becoming a core pillar of the cybercrime economy—and a growing liability for enterprises still treating Apple environments as second-class citizens.

Long relegated to the cybersecurity sidelines, macOS has officially entered the crosshairs of information-stealing malware—and it’s doing so at full throttle. Once dominated by Windows-based payloads, the infostealer market is undergoing a quiet but forceful expansion into Apple territory, Flashpoint analysts revealed in a recent threat intelligence webinar.

“This isn’t just a ripple,” said Keisha Hoyt, Vice President of Intelligence at Flashpoint. “We’re seeing a legitimate surge in sophisticated, purpose-built macOS infostealers that rival early Windows malware in design and execution.”

Hoyt and Flashpoint’s Senior Hunt Analyst Paul Daubman pulled back the curtain on a rapidly evolving ecosystem of macOS malware that’s not just piggybacking on the success of its Windows-based predecessors—but innovating.

The Rise of Apple-Focused Infostealers

Today’s macOS infostealers don’t just scrape local data; they hijack browser-stored credentials, autofill details, cookies, and system metadata—key footholds for follow-on attacks like account takeovers and ransomware. Notably, many of these tools are now sold as Malware-as-a-Service (MaaS), making them more accessible to low-skill threat actors.

Leading the charge is Atomic Stealer, a modular MaaS tool that’s become the de facto choice for adversaries targeting macOS endpoints. Closely following are Poseidon, whose lineage ties back to Atomic’s original developer, and Cthulu, another subscription-based stealer gaining momentum in darknet markets. Banshee, a separate project, adds even more depth to an increasingly fractured—but potent—market.

Daubman noted the alarming speed of their technical evolution: “They’re leveraging AppleScript to create fake system prompts, dumping device profiles with system profiler commands, compressing exfiltrated data, and shipping it off via HTTP. It’s crude compared to mature Windows stealers, but it’s getting better—fast.”

Reverse Engineering: The Frontline of Infostealer Defense

To keep pace with this malware boom, defenders need to go deeper than endpoint detection—they need dissection. Flashpoint emphasized that reverse engineering is a critical weapon in this fight, allowing researchers to decode binary samples into understandable pseudocode and isolate unique identifiers that map attacker infrastructure.

“We’re not just finding malware—we’re fingerprinting the ecosystem,” Hoyt said.

Flashpoint’s threat team detailed their methodology for tracking variants of Poseidon, showing how build IDs, UUIDs, usernames, and even C2 URLs—sometimes hidden in layers of Base32, custom Base64 alphabets, or manual obfuscation—can be extracted, indexed, and operationalized at scale.

These insights are the backbone of automated detection systems, empowering SOCs to act before credentials hit Telegram channels or initial access brokers’ hands.

300 Million Credentials a Month—Parsed, Enriched, and Weaponized (For Good)

Infostealer logs are not only abundant—they’re operational gold, if you know how to read them. Flashpoint says it processes logs from more than 30 active infostealer families, parsing an average of 300 million credential sets per month, including 50 million unique and 6 million previously unseen credentials.

This real-time telemetry allows Flashpoint to offer what few threat intel shops can: reliable early warnings of compromise from infected endpoints long before ransom notes appear.

But the data itself isn’t enough, Daubman warned. “Without parsing and enrichment, it’s noise. The real power is in linking compromised credentials to specific domains and surfacing that risk to defenders before it’s exploited.”

Security Recommendations: From Reactive to Proactive

Flashpoint advocates for a two-pronged mitigation strategy. First, organizations should continuously monitor stolen credential data for their domains—especially those reused across personal and business contexts. Second, they should align that intelligence with direct alerts from Flashpoint’s dataset to identify likely breach entry points before attackers can act.

As Apple devices grow more common in corporate environments, failing to account for their exposure could be a catastrophic blind spot.

“macOS infostealers aren’t just coming—they’re already here,” said Hoyt. “And the faster we accept that, the better positioned we’ll be to stop the next big breach before it starts.”