macOS stealers are becoming an increasingly common type of malware on the Mac, according to the 2025 State of Malware report that Malwarebytes shared this week.
Most Mac malware has historically been VSearch adware or the Genieo browser hijacker, but more malicious malware is on the rise, and 2024 saw a new wave of information stealing malware hit the Mac.
Stealers are designed to locate credit card information, authentication cookies, cryptocurrency, passwords, and other valuable data that criminals can use to make money.
Malicious apps that steal information are typically installed when a Mac user searches for a legitimate software product and then uses a malicious Google or Bing search ad to download an infested replica version of the software they sought. Attackers are able to deliver targeted ads for malicious software based on location, operating system, software, and search terms.
Atomic Stealer (AMOS), an information stealer that surfaced in 2023, is used regularly, and a version of AMOS referred to as Poseidon has becoming increasingly popular with criminals. Poseidon is advertised as being able to steal cryptocurrency from more than 160 wallets as well as passwords from web browsers and select password managers. Poseidon downloads have masqueraded as legitimate Mac apps like the Arc Browser, tricking unsuspecting Mac users into installing the malware.
Malwarebytes warns that macOS stealers like Poseidon allow criminals to access sensitive resources, steal credentials, and create convincing social engineering attacks.
To avoid this kind of attack, it is important to verify where software is being downloaded from, ensuring that it comes from a legitimate developer and not an imitation website.
