Sophisticated macOS Infostealer Hits Newer Apple Silicon Devices

scsecNovember 20, 20251 Mins read137 Views

Researchers have discovered a new, highly-sophisticated macOS malware called DigitStealer that masquerades as a legitimate app called “DynamicLake.” It specifically targets newer Apple Silicon Macs — M2 chips and later — while avoiding older Macs, virtual machines, and Intel-based systems.

DigitStealer’s installation begins with a bash script executed entirely in memory. Before proceeding, it checks the system’s region settings and verifies certain hardware features to ensure it’s running on a non-virtual, M2-or-newer Mac.

If these checks pass, the malware downloads four separate payloads:

A script that asks the user for their macOS password and, if provided, steals credentials, documents, and system files.
Tools that pull data from browser profiles, the macOS keychain, VPN configs, Telegram settings, and crypto wallets (including Ledger, Electrum, Exodus, and others).
A tampered version of the Ledger Live app: the malware replaces its app file so it connects to an attacker-controlled server, giving full access to the user’s crypto wallet.
A persistent backdoor implemented via a “Launch Agent” — this component fetches additional payloads from the attacker’s server on demand. At first, this backdoor is a JavaScript-based automation script, but the attacker can change it dynamically.

To trick users, the malware is packaged as an unsigned disk image named DynamicLake.dmg, served from a fake website mimicking the real DynamicLake app. The installer asks users to drag the file into Terminal, bypassing standard macOS security checks.

The researchers note that the malware’s design shows deep knowledge of macOS internals and a clear intention to evade detection. Because it uses fileless techniques and hardware checks, it leaves minimal traces and can dodge many traditional antivirus tools.

To stay safe, Mac users should: