The Mac’s Fortress Has Fallen: Inside the Surge of Infostealers Targeting Apple Users

macOS infostealers like Atomic Stealer, Poseidon, and Cthulhu Stealer are surging as attackers target high-value Apple users. The long-held belief that Macs are immune to malware has become a serious liability for individuals and enterprises alike.
The Mac’s Fortress Has Fallen: Inside the Surge of Infostealers Targeting Apple Users
Written by John Marshall

For two decades, the conventional wisdom among consumers and even some IT professionals held firm: Macs don’t get viruses. That belief, always more myth than reality, has now become outright dangerous. A sharp escalation in macOS-targeted malware — particularly a class of threats known as infostealers — is forcing the cybersecurity industry to reckon with an uncomfortable truth. Apple’s walled garden isn’t as impenetrable as its marketing suggests.

The numbers are stark. According to TechRadar, cybersecurity researchers have documented a dramatic rise in infostealers designed specifically for macOS, with threat actors increasingly viewing Apple users as high-value targets. The logic is straightforward: Mac users tend to skew wealthier, are disproportionately represented in creative industries and C-suites, and — critically — have historically been less vigilant about endpoint security. That combination makes them ideal marks.

Infostealers are exactly what they sound like. They’re malware designed to extract sensitive data from infected machines — passwords, browser cookies, session tokens, cryptocurrency wallet credentials, autofill data, and anything else stored locally that might have value on the dark web or in targeted attacks. Unlike ransomware, which announces itself with encrypted files and demands, infostealers operate quietly. The victim often has no idea anything has happened.

Three families of macOS infostealers have dominated recent threat reports: Atomic Stealer (also known as AMOS), Poseidon Stealer, and Cthulhu Stealer. Each has its own distribution methods and technical signatures, but they share a common playbook. They typically arrive disguised as legitimate software — cracked applications, fake browser updates, or trojanized productivity tools — and rely on social engineering to trick users into bypassing macOS’s built-in Gatekeeper protections. Once the user manually overrides the security warning and enters their system password, the malware has everything it needs.

Atomic Stealer has been particularly prolific. First identified in early 2023, it’s sold as a malware-as-a-service product on Telegram channels and dark web forums for roughly $1,000 per month. That price point has made it accessible to a broad range of cybercriminals, from sophisticated operations to relatively low-skill actors. The service includes regular updates to evade detection, a web-based control panel for managing stolen data, and customer support. It’s a business.

And business is good. Security firm SentinelOne has tracked multiple campaigns distributing Atomic Stealer through malicious Google ads — a technique known as malvertising. Users searching for popular software like Arc Browser, Notion, or Slack are served sponsored results that lead to convincing clone sites. The downloads look legitimate. The installers function as expected, at least on the surface. Underneath, they’re siphoning credentials.

Poseidon Stealer, which emerged in mid-2024, takes a slightly different approach. It has been distributed through malicious email campaigns and has shown a particular interest in targeting cryptocurrency users. Given that macOS has long been the platform of choice in crypto-adjacent industries, this targeting makes strategic sense. Poseidon can extract data from a wide array of browsers and crypto wallets, including MetaMask, Coinbase Wallet, and Phantom.

Cthulhu Stealer rounds out the trio. Priced even lower than Atomic — reportedly around $500 per month — it targets an extensive list of applications and data sources. It can harvest credentials from Keychain, extract browser data from Chrome, Firefox, Brave, and Opera, and pull information from file transfer tools, gaming platforms, and note-taking apps. Its low cost and broad capability set have made it attractive to threat actors looking to cast a wide net.

The shift didn’t happen overnight. But several converging factors have accelerated it. Apple’s growing market share in enterprise environments is one. According to IDC data, Macs now account for a meaningful and growing percentage of corporate endpoints, particularly in technology, finance, and media companies. Every Mac added to a corporate fleet represents another potential entry point that may lack the same depth of endpoint detection and response tooling typically deployed on Windows machines.

There’s also the password problem. Despite Apple’s push toward passkeys and its built-in Keychain password manager, most users still rely on browser-stored credentials — and many reuse passwords across services. A single successful infostealer infection can yield credentials for dozens of accounts: email, banking, corporate VPNs, cloud storage, social media. The downstream damage from one compromised machine can be enormous.

Session token theft deserves particular attention. Modern web applications use session cookies to keep users logged in. If an attacker steals a valid session token, they can impersonate the victim without needing a password or even triggering multi-factor authentication. This technique has been implicated in high-profile breaches, including attacks on major tech companies. Infostealers that harvest browser cookies are, in effect, harvesting authenticated access to every service the victim uses.

So what’s Apple doing about it? The company has incrementally tightened macOS security with each release. Gatekeeper, XProtect (Apple’s built-in malware scanner), and the notarization requirement for distributed software all provide layers of defense. macOS Sequoia, released in late 2024, introduced additional restrictions on running unsigned code. But these defenses share a fundamental limitation: they can all be bypassed by a user who willingly enters their administrator password when prompted. Social engineering remains the skeleton key.

Apple’s response has also been criticized for its opacity. Unlike Microsoft, which publishes detailed threat intelligence reports and actively engages with the security research community, Apple maintains a more guarded posture. XProtect signature updates are pushed silently, and the company rarely comments publicly on specific threats. This approach may reduce panic, but it also leaves enterprise security teams with less visibility into what Apple is detecting and blocking — and what it isn’t.

The security industry has stepped in to fill the gap. Companies like CrowdStrike, SentinelOne, and Jamf have expanded their macOS threat detection capabilities significantly in the past 18 months. Jamf Protect, in particular, has positioned itself as a purpose-built security solution for Apple environments, offering behavioral detection, threat prevention, and compliance monitoring tailored to macOS and iOS. But adoption remains uneven. Many organizations still treat Mac security as an afterthought, applying different (and often lesser) security standards to Apple endpoints than to their Windows counterparts.

This disparity is a gift to attackers. Red team operators and penetration testers have noted for years that macOS environments are often the path of least resistance in corporate networks. The cultural assumption — Macs are safe — translates into weaker monitoring, less restrictive application whitelisting, and fewer behavioral analytics. Threat actors have clearly noticed.

The malware-as-a-service model has also lowered the barrier to entry. A decade ago, writing macOS malware required specialized knowledge of Apple’s APIs, code-signing mechanisms, and security architecture. Today, a would-be attacker can subscribe to Atomic Stealer, receive a ready-made payload, and begin distributing it within hours. The commoditization of macOS malware mirrors what happened in the Windows threat space years ago — and the consequences are likely to be similar.

Distribution methods are evolving too. Beyond malvertising and phishing emails, researchers have observed infostealers being spread through compromised GitHub repositories, fake Homebrew packages (Homebrew being the widely used macOS package manager), and even poisoned results in AI-powered search tools. As large language models become integrated into developer workflows, the risk of AI-assisted social engineering — convincing a developer to install a malicious dependency, for example — grows in parallel.

For individual users, the defensive playbook is relatively straightforward but requires discipline. Don’t download software from unofficial sources. Don’t override Gatekeeper warnings unless you have absolute certainty about the software’s provenance. Use a dedicated password manager rather than relying on browser autofill. Enable multi-factor authentication everywhere it’s available, and prefer hardware security keys or authenticator apps over SMS-based codes. Keep macOS and all applications updated. And treat any unexpected prompt for your system password with suspicion.

For enterprise security teams, the challenge is more complex. It starts with acknowledging that macOS endpoints deserve the same rigor as Windows machines. That means deploying endpoint detection and response agents on every Mac, implementing application whitelisting, monitoring for anomalous credential access patterns, and ensuring that macOS-specific threat intelligence is integrated into security operations workflows. It also means training users — particularly executives, who are often the most resistant to security controls and the most likely to be targeted.

The financial incentives driving this trend aren’t going away. Stolen credentials sell for anywhere from a few dollars to several hundred on dark web markets, depending on the target. Corporate credentials, cryptocurrency wallet access, and session tokens for high-value services command premium prices. A single infostealer campaign targeting Mac users can generate substantial revenue with relatively low operational risk to the attacker, especially when operating from jurisdictions with limited law enforcement cooperation.

There’s a broader lesson here too. Security through obscurity — or in this case, security through market share minority — was never a real strategy. It was an accident of economics. When Windows commanded 95% of the desktop market, it made sense for attackers to focus their efforts there. As macOS has grown to roughly 15-17% of the global desktop market and an even higher share in high-income demographics, the calculus has shifted. Attackers follow the money. Always.

The Mac infostealer surge is not a temporary blip. It’s a structural shift in the threat environment, driven by Apple’s growing enterprise presence, the professionalization of malware development, and the persistent human tendency to trust what feels familiar and safe. The companies and individuals who adapt to this reality quickly will fare far better than those who cling to the comforting fiction that their operating system choice is a security strategy.

That fiction, if it ever had merit, is over.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us