Malwarebytes this week shared its 2025 State of Malware report. In the report, the anti-malware company said macOS stealers are becoming an increasingly common type of malware on the Mac.
On macOS, the threat landscape was disrupted by a notable shift towards sophisticated infostealer malware like Poseidon and Atomic Stealer, reflecting the platform’s growing attractiveness to cybercriminals
Historically, most Mac malware has been VSearch adware or the Genieo browser hijacker, but infections of more malicious malware is on the rise, seeing a new wave of information stealing malware hit the Mac during 2024.
Stealers are designed to locate credit card information, authentication cookies, cryptocurrency, passwords, and other valuable data that are always attractive to bad actors.
The current sea change in Mac malware started in mid-2023 with the emergence of Atomic Stealer (AMOS), an information stealer with features that looked more like Windows malware than a traditional Mac threat.. Since it emerged, AMOS has seen regular updates as its developers add features, and it has been used in numerous different malware distribution campaigns. Cybercriminals can control the information stealer via a web-based administration console that is sold “as-a-service” (similar to legitimate cloud applications) for $1,000 per month.
Malicious apps are usually installed when a Mac user searches for a legitimate software product and then clicks on a malicious Google or Bing search ad to download an infested version of the software they were looking for. Attackers can deliver targeted ads for the malicious software, based on location, operating system, software, and search terms.
A version of AMOS, referred to as Poseidon, is becoming increasingly popular with bad actors. Poseidon is said to be able to steal cryptocurrency from more than 160 wallets as well as passwords from web browsers and select password managers. The malicious downloads pose as legitimate Mac apps, tricking Mac users into installing the malware.
To protect yourself against attacks like these, always be sure about the websites you are downloading software from, confirming that it comes from a legitimate developer and not a malicious website imitating the true website.
