Back

Weaponized DMG Files Target macOS Users with Infostealer Malware

Severity: High (Score: 64.5)

Sources: Cybersecuritynews, Huntress

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: target, macos, hackers, weaponized, files, users, infostealer

Severity indicators: weaponized, malware, stealer, infostealer

Summary

Hackers are exploiting macOS users through weaponized DMG files that masquerade as legitimate software installers. This tactic leverages the misconception that Apple devices are immune to malware, allowing attackers to harvest sensitive information quickly. In 2025, over 65% of newly reported macOS malware was classified as infostealers, indicating a significant rise in credential and data theft targeting Apple environments. The attacks primarily initiate via web browsers, utilizing SEO poisoning and compromised links in torrent networks. The infostealers operate rapidly, exfiltrating data before detection, without establishing persistence on the infected systems. This trend highlights a shift in focus from traditional malware tactics to social engineering for initial installation. Current reports indicate that these attacks are ongoing and increasingly sophisticated. Key Points: • Over 65% of new macOS malware in 2025 was infostealers, targeting user credentials. • Attackers use weaponized DMG files disguised as legitimate software to deceive users. • The infection process often begins with SEO poisoning and compromised torrent links.

Detailed Analysis

**Impact** macOS users globally are targeted, particularly those downloading free or cracked software from torrent networks and forums. Over 65% of newly reported macOS malware in 2025 were infostealers, indicating widespread credential and data theft risks, including saved passwords, browser cookies, authentication tokens, and cryptocurrency wallets. The rapid exfiltration of data before detection increases the potential for significant operational and financial damage. **Technical Details** Attackers deliver infostealer malware via weaponized disk image (.dmg) files disguised as legitimate software installers. The infection chain begins with SEO poisoning and compromised links leading users to download these deceptive installers. The malware bypasses traditional persistence mechanisms, focusing on rapid data harvest and exfiltration to command-and-control servers. No specific CVEs or IOCs were provided in the sources. **Recommended Response** Users and defenders should avoid downloading software from untrusted sources, especially cracked or free versions of paid applications. Monitoring for unusual network exfiltration patterns and suspicious mounting of disk images is advised. Enforce Gatekeeper settings to block unsigned or unnotarized applications and educate users on social engineering risks associated with DMG installers. No patch or specific detection signatures were detailed in the available information.

Source articles (2)

  • Deceptive Installers: How Fake Apps Target macOS — Huntress · 2026-06-10
    If you've ever downloaded a "free" version of software that traditionally has a price tag, I’m looking at you, my LimeWire power-users of the 2000s. You may have unwittingly walked into one of the mos…
  • Hackers Use Weaponized DMG Files to Target macOS Users With Infostealer Malware — Cybersecuritynews · 2026-06-11
    Hackers are using weaponized DMG files to target macOS users with infostealer malware, exploiting the long-standing myth that Apple devices are safe from cyber threats. These attacks rely on fake soft…

Timeline

  • 2025-01-01 — Rise in macOS infostealer malware reported: Reports indicated that over 65% of newly identified macOS malware was classified as infostealers, marking a significant trend in cyber threats against Apple devices.
  • 2026-06-10 — Huntress article published: Huntress detailed the use of deceptive installers and weaponized DMG files targeting macOS users, emphasizing the shift in attack strategies.
  • 2026-06-11 — Cybersecuritynews article published: Cybersecuritynews reported on the ongoing use of weaponized DMG files to exploit macOS users, reinforcing the urgency of the threat.

Related entities

  • Malware (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • AMOS (Malware)
  • MacSync (Malware)
  • Odyssey (Malware)
  • Poseidon (Malware)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • Arc Browser (Platform)
  • MacOS (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed