Insights, news, education and announcements from PolySwarm

DigitStealer MacOS Infostealer

Written by The Hivemind | Dec 1, 2025 6:47:01 PM

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: None

Executive Summary

DigitStealer is a highly evasive macOS information stealer that executes almost entirely in memory, leverages JavaScript for Automation (JXA) and AppleScript, and employs novel hardware-based anti-analysis checks targeting Apple Silicon M2 and newer devices. The campaign demonstrates increasing adversary sophistication through multi-stage payload delivery and abuse of legitimate infrastructure.

Key Takeaways

  • DigitStealer obtains initial access via an unsigned DMG masquerading as the legitimate DynamicLake utility, using the classic “drag-to-Terminal” Gatekeeper bypass technique.
  • It uses an extensive anti-analysis routine in the first-stage bash dropper that blocks execution on virtual machines, Intel-based Macs, M1 chips, and systems in specific geographic locales.
  • DigitStealer relies on four separately fetched, in-memory payloads: an AppleScript stealer, two obfuscated JXA modules (one broad infostealer, one dedicated Ledger Live config modifier), and a dynamic LaunchAgent backdoor that pulls fresh JXA code via DNS TXT records.

What is DigitStealer?

Jamf Threat Labs recently detailed DigitStealer, a new macOS-focused information stealer that stands out for its minimal disk footprint and advanced evasion logic. Distributed as an unsigned disk image named DynamicLake.dmg, the sample impersonates the legitimate DynamicLake utility and is difficult to detect.

Execution begins when the victim drags a disguised .msi text file into Terminal, triggering a one-liner that uses curl to pull and pipe an obfuscated bash dropper directly into memory. This first-stage script immediately performs geographic filtering by inspecting the user’s AppleLocale preference. Any match against a hard-coded list of former Soviet states and associated countries causes immediate termination, likely an operational security measure to avoid law-enforcement scrutiny in those regions.

The dropper then runs an unusually thorough anti-analysis suite. Beyond standard VM detection via system_profiler and common sysctl queries, it introduces checks specific to Apple Silicon hardware features introduced with the M2 series and later. If any of these expected ARM capabilities are missing or report zero, the script exits. As a result, DigitStealer deliberately refuses to run on Intel Macs, M1 systems, virtualized environments, or analysis sandboxes lacking full M2+ feature parity.

Once checks pass, the dropper uses nohup curl to fetch four additional payloads from Cloudflare Pages infrastructure and executes them directly in memory:

  • A clear-text AppleScript infostealer that prompts for the user password, resets the TCC privacy database with tccutil, harvests Desktop, Documents, and Downloads files and Notes data, then exfiltrates everything to the C2.
  • A heavily obfuscated JXA module that mirrors typical stealer behavior, targeting browser profiles, cryptocurrency wallets, the Keychain database, VPN configs, and Telegram tdata.
  • A smaller obfuscated JXA payload dedicated to Ledger Live tampering terminates the running process, rewrites ~/Library/Application Support/Ledger Live/app.json to point to attacker-controlled endpoints, enabling seed-phrase exfiltration or malicious configuration pushes.
  • A bash persistence script that drops a LaunchAgent plist. Rather than embedding static code, the agent queries a DNS TXT record on the C2 to retrieve the current backdoor URL, then continuously downloads and executes fresh obfuscated JXA every ten seconds, sending a unique MD5-hashed hardware UUID with each request.

Notably, the Ledger Live modification technique has evolved: instead of dropping a single malicious app.asar, the malware downloads three separate segments, concatenates them in memory, and swaps the trojanized archive into the legitimate application bundle, further complicating static detection.

DigitStealer illustrates the rapid maturation of the macOS threat landscape. By chaining multiple in-memory stages, abusing legitimate services, and introducing hardware-specific anti-analysis checks, the operators achieve both high evasion and precise targeting of high-value Apple Silicon systems while leaving virtually no artifacts on disk. 

IOCs

PolySwarm has multiple samples associated with DigitStealer.

 

226cbbf43d9bcedcc5ab69e51e5cce2f4ca841aa7ab39fdf974766203e2c9b66

5420a25fdd6cb6484ab3687c6bba750b40007730eb4232088b668eff0de2c072

12e630d6041eb7322901150079c0d0fdbd47b0098dc5cb0f2de23b6e8d5082e1

498d271d695e424bfd7f9ad1ead187ef0ac62fa8908c6e1f239db495371ff237

 

Click here to view all samples of DigitStealer in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post