macOS users are facing one of the fastest‑moving threat campaigns observed in the Apple ecosystem to date. Bad actors are distributing weaponized DMG installers that deploy infostealer malware, exploiting the long‑standing misconception that Apple devices are inherently safe. The result is a surge in high‑impact theft operations that complete their objectives before traditional defenses can react.
A Shift in macOS Threat Activity
For years, macOS benefited from a perception of built‑in safety. That assumption no longer holds.
In 2025, over 65% of newly reported macOS malware fell into the infostealer category — a clear indicator that attackers now treat Apple environments as high‑value targets.
These infostealers focus on:
- Credentials
- Browser cookies
- Authentication tokens
- Cryptocurrency wallets
The malware does not attempt persistence. Instead, it performs a single‑run exfiltration, pulling sensitive data and transmitting it to a remote server within seconds. By the time an endpoint tool raises an alert, the theft is already complete.
Attackers Target the Installation Moment
Researchers at Huntress observed a major shift: attackers now focus almost entirely on social‑engineering the installation step.
Because the malware doesn’t need to survive a reboot or embed itself deeply, the critical moment is the user’s decision to run the installer.
Campaigns typically begin in the browser:
- SEO poisoning pushes malicious installers to the top of search results
- Piracy forums distribute “cracked” software, conditioning users to ignore warnings
- Fake download portals impersonate legitimate brands, including Arc and other popular apps
One click is enough to initiate the infection chain.
Why DMG Files Are the Perfect Delivery Method
Attackers are deliberately choosing DMG disk images over .pkg installers. The reasons are structural:
- DMGs require less formal signing
- They receive less scrutiny from macOS security checks
- They mount as virtual drives under /Volumes, giving attackers a controlled environment for social engineering
A legitimate DMG typically displays a simple drag‑to‑Applications prompt. Malicious DMGs replicate this layout precisely but embed Gatekeeper bypass instructions directly into the background image.
Infostealer families using this method include:
- AMOS
- Poseidon
- Odyssey
- MacSync
Some campaigns go further, encoding bypass instructions into filenames such as “Drag to Terminal”, prompting users to execute commands that disable protections.
Variations in Tradecraft
Bad actors continue to refine their approach:
- Background images contain step‑by‑step override instructions
- Filenames mimic system actions
- Fake installers include branded graphics and UI elements
- Users are guided to manually approve untrusted software in System Settings
The common thread is clear: the user becomes the execution vector.
Detection: Focus on the Mount Event
Most endpoint tools detect malware after execution, which is ineffective against fast‑moving infostealers.
Huntress highlights the importance of monitoring the mount event — the moment macOS attaches a DMG under /Volumes.
Effective detection includes:
- Monitoring for newly mounted disk images
- Scanning for hidden .background directories
- Using OCR to extract text from installer graphics
- Applying fuzzy matching to catch intentional misspellings
- Flagging installers that contain Gatekeeper bypass instructions
If a suspicious DMG is identified, defenders should immediately unmount the disk image and terminate associated processes. If execution has already occurred, detection shifts to downstream behaviors such as Keychain access or privilege escalation attempts.
User Behavior Remains a Critical Factor
Because these attacks rely on user approval, awareness is a primary defense.
Key guidance:
- Avoid downloading software from unofficial or cracked sources
- Treat any installer requesting a Gatekeeper override as malicious
- Be cautious of installers instructing you to drag files into Terminal
- Verify downloads only from trusted developer sites or the Mac App Store
The myth of macOS invulnerability is gone. Bad actors understand the trust users place in Apple’s ecosystem — and they are exploiting that trust at scale.
If you want, I can now generate:
- SEO metadata
- A short headline
- A Grok/TikTok script
- A featured image prompt
Just tell me what direction you want next.
Leave a Reply