What happened
A macOS-targeting infostealer called DigitStealer has seen increased activity since emerging in late 2025, specifically targeting Apple M2-based systems and harvesting sensitive user data including browser information, macOS keychain entries, and cryptocurrency wallet credentials from 18 different wallets. The malware is distributed through trojanized applications such as a fake productivity tool named “DynamicLake,” and establishes persistence by creating a Launch Agent that ensures automatic execution. Once installed, DigitStealer communicates regularly with attacker-controlled servers to retrieve commands and exfiltrate data, using cryptographic challenge-response mechanisms and consistent hosting infrastructure patterns that researchers have used to track the operation.
Who is affected
Users and organizations running macOS systems, particularly those using Apple M2 devices and installing untrusted or trojanized applications, are affected, as the malware steals credentials, cryptocurrency wallet data, and sensitive system information.
Why CISOs should care
The malware demonstrates ongoing targeting of macOS environments and cryptocurrency assets, highlighting risks associated with trojanized applications and persistent credential theft from enterprise endpoints.
3 practical actions
- Monitor macOS systems for unauthorized Launch Agents. Detect persistence mechanisms created by DigitStealer.
- Block communication with known command-and-control infrastructure. Use identified hosting patterns and domains to prevent malware activity.
- Restrict installation of untrusted applications. Prevent users from installing trojanized software that delivers infostealer malware.