The latest, major threats to Mac computers can steal passwords and credit card details with delicate precision, targeting victims across the internet based on their device, location, and operating system.
These are the dangers of âinfostealers,â which have long plagued Windows devices but, in the past two years, have become a serious threat for Mac owners. And in 2024, one malicious program in particular is responsible for the lionâs share of infostealer activityâracking up 70% of known infostealer detections on Mac.
These findings come from the 2025 State of Malware report. While many of the threats detailed in the report target companies and businesses, this latest wave of infostealers makes no distinction between Mac computers in an office and Mac computers at home. Unlike ransomware, which is deployed against large businesses that cybercriminals hope can pay hefty ransoms, infostealers can deliver illicit gains no matter the target.
With the right cybersecurity practices, everyday Mac users can stay safe from these emerging threats.
The threat of infostealers
âInfostealersâ are a type of malware that do exactly as they sayâthey steal information from peopleâs devices. But the variety of information that these pieces of malware can steal makes them particularly dangerous.
With stolen credit card details, hackers can attempt fraudulent purchases online. With stolen passwords, the impact is even broader; hackers could wire funds from a breached online banking account into their own, or masquerade as someone on social media to ask friends and family for money. Some infostealers donât even require an additional stepâthey can take cryptocurrency directly from a victimâs online accounts.Â
But there is another threat to infostealers that comes from their recent history. They are wildly adaptable.
In 2016, Malwarebytes first discovered an infostealer called TrickBot that, when implanted on a personâs device, would steal online banking credentials. But over time, the developers behind TrickBot began adding alarming new features, including the capabilities to steal Outlook credentials, disable Windows Defender, and even to download and deliver additional, separate malware onto infected devices.
By 2018, TrickBot was the largest threat to businesses.
Now, in 2025, another infostealer is raising red flags all across cyberspace, and this time, it isnât interested in Windows devices.
The next Mac malware
Malware is âmalicious software,â and just like legitimate software, malware has to be developed for specific operating systems. That means that, for instance, ransomware that works on a Windows laptop doesnât automatically work on a Mac laptop, and likewise, a phishing app developed for Android devices doesnât work on iPhones.
For years, then, a great deal of malware activity has focused on Windows devices. The common cybercriminal calculus was that, if there were more Windows users in the world, there was more reason to target those users with cyberattacks.
During this time, most Mac threats were bothersome pieces of malware that would hijack a victimâs web browser to deliver annoying ads and wayward links. But as Mac computers have become standard within businessesâand as demand for Windows computers has wanedâcybercriminals have readjusted their thinking.
In 2023, a new infostealer on Mac called Atomic Stealer (AMOS) made its debut, and since its launch, it has not only showcased new featuresâmuch like TrickBotâit has also been gussied up with some of the markings of a legitimate business. Â
For instance, AMOS can be âlicensedâ out to other cybercriminals, much like how genuine companies offer their own software for a monthly subscription price. For AMOS, that price was initially $1,000 a month, and with that access, cybercriminals didnât just buy a productivity tool or communications app, they bought access to an information stealer that can crack into Mac computers to steal a variety of sensitive information.
By January 2024, AMOS had increased its price to $3,000 a month. The developers ran a holiday promotionâseriouslyâand even released an AMOS update that would better obfuscate the infostealer from being detected by cybersecurity software.
But in the world of cybercrime, malware features only mean so much. Another important piece of cybercrime is getting malware onto a device to begin with. And in 2023, malware delivery evolved hand-in-hand with Mac infostealers.
Rather than trying to deliver malware through clumsy email attachments, cybercriminals have recently turned to âmalicious advertisingâ or âmalvertising.â This means that cybercriminals will create bogus versions of websites that will rank highly during regular Google searches, tempting victims into clicking the first, ad-supported link they see online, and unknowingly reaching a website controlled entirely by cybercriminals.
On these websites, cybercriminals advertise a piece of high-demand software and trick users into a download. But instead of receiving the desired software, victims receive, in these cases, infostealers.
This one-two punch of malvertising and advanced infostealers paved the way last year for the next, big Mac threat, called Poseidon.
As we warned in the State of Malware report:
âPoseidon boasts that it can steal cryptocurrency from over 160 different wallets, and passwords from web browsers, the Bitwarden and KeePassXC password managers, the FileZilla file transfer app, and VPN configurations including Fortinet and OpenVPN.â
Poseidon is the most active infostealer on Mac today, and it accounted for 70% of all infostealer detections on Mac in the final months of 2024, an impressive feat considering the malware barely launched last summer.
Interestingly, Poseidon is just another âforkâ of AMOS, meaning that another hacker took AMOS, built upon it, and released it in the wild. Already, Malwarebytes has uncovered consumer-targeted campaigns to infect Mac owners with Poseidon, including a malvertising website disguising Poseidon behind a download for a buzzy new web browser called Arc.
Poseidon represents a sea change in Mac malware, and with the type of advanced targeting that cybercriminals can achieve through malvertisingâhackers can target malicious ads based on a potential victimâs location, operating system, software, and search termsâMac users must be on watch.
How to stay safe
In 2025, Mac users donât need to just watch out for infostealers. They also have to watch out for malvertising in general, as cybercriminals use the malware delivery method for all sorts of threats online.
Hereâs how you can stay safe:
- Use cybersecurity software that offers always-on protection against Mac malware including infostealers, adware, and the rare instances of ransomware.
- Use Malwarebytes Browser Guard to securely browse the web and to be notified when visiting known, malicious websites that are in control of cybercriminals.
- Beware the first, ad-supported result on Google searches and other search engines. Cybercriminals have successfully placed their own, malicious ads in these top rankings to trick victims into downloading malware.
We donât just report on threatsâwe remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
