Using a Mac doesn’t make you safe from infostealers, SpyCloud warns

There’s a common myth in cybersecurity that macOS is immune to the malware plaguing Windows. However, this assumption is both outdated and dangerous. With macOS devices gaining significant market share, cybercriminals are increasingly targeting them with sophisticated "infostealer" malware designed to pilfer sensitive data.

SpyCloud, a leader in recaptured breach data, highlights several prominent macOS stealers, including Atomic macOS Stealer, Banshee Stealer, and the yet-unnamed Unidentified Eos Stealer. These threats are actively extracting credentials, browser data, cryptocurrency wallets, and system information, proving that Mac users are far from immune.

"There's still a wide misconception that malware doesn't target Macs," an email from SpyCloud stated, "but as Apple devices capture more market share, macOS malware has become increasingly worthwhile for criminals to build and deploy."

Atomic Stealer: The biggest threat

Among the most concerning is Atomic macOS Stealer, which SpyCloud has been monitoring since its appearance in 2023. The infostealer is part of a growing category of Malware-as-a-Service (MaaS). Cybercriminals can rent access to it for $500–$1000 a month, gaining powerful tools to steal sensitive data from victims without writing a single line of code.

Here’s what it targets:

• Keychain and administrator passwords

• System info and software lists

• Browser data from Chrome, Safari, Firefox, and others

• Cryptocurrency wallets like Exodus and Ledger Live

• Apple Notes and even Telegram data

• Documents and files with credentials, crypto keys, or other sensitive data

• How it spreads

• In their blog post, SpyCloud says most victims are tricked into installing Atomic themselves. It often hides inside cracked software downloaded from shady sites, disguised as installers with names like “CrackInstall.dmg.”

Once launched, the malware runs shell scripts using osascript - a built-in macOS tool - to perform its theft operations. It can even pop up fake password windows and error messages to fool users into handing over credentials.

Worse yet, if it detects a user has the Ledger Live crypto wallet, Atomic will try to install a backdoored version of the app, putting users' crypto assets at further risk.

Why detection is so difficult

One of the reasons Atomic Stealer is so dangerous is that it doesn’t persist on the system. After exfiltrating stolen data, it deletes itself, leaving behind minimal traces. This makes it hard for antivirus software to catch, and even harder for users to realize they were infected.

Still, SpyCloud’s telemetry shows that Atomic is far from rare. The company says it has analyzed over 33,000 unique Atomic infection logs in just the past six months.

What you can do:

• Avoid cracked software and shady download sites

• Monitor for unusual terminal behavior, especially if osascript is involved

• Block known malicious domains and pay-per-install services on managed devices

• Deploy post-infection remediation when employee credentials have been exposed

SpyCloud also urges businesses to educate employees, especially those using personal Macs for work, about the real risks macOS malware poses.