Sophisticated macOS Infostealers Get Past Apples Built-In Detection

Emerging malware variants can evade various static-signature detection engines, including XProtect, as attackers rapidly evolve to challenge defense systems.

Increasingly sophisticated infostealers are
targeting macOS
with the capability to evade Apples built-in malware protection, as attackers are becoming more savvy about how to crack static signature-detection engines like the platforms proprietary XProtect.
KeySteal, Atomic Infostealer, and CherryPie are three active stealers that can currently get past various detection engines — with variants of the first two currently evading macOSs XProtect, researchers from SentinelOne revealed
in a blog post
this week. XProtect is macOSs built-in antivirus (AV) technology that scans downloaded files and apps for known malware signatures, removing any offending files.
Indeed, there has been a rise of info-stealing malware
targeting the macOS platform
since early last year, and this trend already is off to a flying start in 2024 as attackers are evolving as quickly as defenders to evade new detection methods, according to SentinelOne.
Recent updates to macOSs XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures, SentinelOne threat researcher Phil Stokes wrote in the post.
All three stealers outlined by SentinelOne have been previously identified but continue to evolve with new variants that show the sophisticated evasion capabilities.
KeySteal, first observed in 2021 by
Trend Micro
, has evolved significantly since it was first detected, and even since Apple added a signature nearly a year ago to XProtect to pick up the malware. At this point the malware has changed so much that XProtect no longer can detect current versions.
Originally, KeySteal appeared in.pkg format with an embedded macOS utility called ReSignTool — a legitimate open source application for signing and bundling apps for distribution on iOS devices.
The latest versions of KeySteal no longer use the ReSign tool and instead appear in multi-architecture Mach-O binaries with names such as UnixProject and ChatGPT, though how the infostealer is being distributed is unclear at this time, Stokes said. Malware authors also now have modified the code to steal macOS keychain information and drop persistence components in various system locations.
One factor that remains consistent between the early and current iterations of KeySteal is the hardcoded command-and-control (C2), which could help give threat hunters and static detections a clue in how to find it, he added.
Atomic Stealer
also has evolved since it was identified last year, with SentinelOne currently observing various iterations in the wild. This indicates completely different development chains rather than one core version that is being updated, Stokes wrote.
While XProtect previously picked up a Go version of Atomic Stealer, SentinelOne has observed new variations written in C++ that the detection engine cant pick up, which also has low detection scores on VirusTotal.
The variant includes logic to prevent victims, analysts, or malware sandboxes from running the terminal at the same time as the stealer, and also checks to see if the malware is being run inside a virtual machine (VM). Moreover, the new samples use hardcoded AppleScript in clear text rather than obfuscate the code, which already is a deviation from versions that appeared earlier this month.
With names such as CrackInstaller and Cozy World Launcher and its .dmg file format, the researchers believe distribution of active Atomic Stealer variants likely comes through torrents or gaming-focused social media platforms.
Despite recent updates, a third stealer called CherryPie (aka Gary Stealer) still finds itself blocked by macOS XProtect, but other static-detection engines arent faring as well against it, the researchers found. The same malware also was i
dentified as JaskaGo
by AT&T Labs in December.
A recent sample of CherryPie — a cross-platform Windows/macOS stealer written in Go — remains undetected on VirusTotal until now, Stokes said.
Though the sample contains extensive logic for anti-analysis and VM detection, its authors appear to be hiding the malware in plain sight, having left obvious strings embedded in the malware to indicate both its purpose (stealer) and its intent (malicious), he wrote.
Some versions of CherryPie that the researchers observed also use the legitimate open source Wails project to wrap their malicious code into an application bundle, Stokes added.
Though historically macOS has been considered a relatively secure technology platform due to its proprietary nature, attackers concerted efforts to target it have found more success in recent years. Organized threat groups — some in particular from
North Korea
— have introduced
new malware
built specifically for the platform, with
stealers
being an especially popular way for attackers to hack macOS.
This continued assault on the platform means
macOS defenders
need to remain vigilante and Apple also needs to stay on top of threats to ensure XProtect can block them, Stokes said.
The continued prevalence and adaptation of macOS infostealers … underscores the ongoing challenges facing macOS enterprise users, he wrote. Despite solid efforts by Apple to update its XProtect signature database, these rapidly evolving malware strains continue to evade.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Sophisticated macOS Infostealers Get Past Apples Built-In Detection