DigitStealer, a sophisticated information-stealing malware targeting macOS systems, has recently surged in activity, drawing significant attention from the cybersecurity community.
First emerging in late 2025, this malicious software specifically targets Apple M2 devices, distinguishing itself from generic threats.
It operates primarily by harvesting sensitive user data, including information from 18 different cryptocurrency wallets, browser data, and macOS keychain entries.
Unlike many modern infostealers that function as part of a Malware-as-a-Service (MaaS) ecosystem, DigitStealer lacks a web panel for affiliates, strongly suggesting it is managed by a private operator or a small, exclusive team.
The primary infection vector involves the distribution of the malware disguised as legitimate applications, such as the productivity tool “DynamicLake”. Once a user installs the compromised software, the malware initiates a multi-stage infection process.
It establishes persistence on the victim’s machine by creating a Launch Agent, which ensures the malicious code runs automatically.
This backdoor capability allows the attacker to maintain long-term access, polling the C2 server every 10 seconds for new AppleScript or JavaScript payloads to execute different malicious functions on the device.
Cyber and Ramen analysts identified that the malware’s infrastructure reveals a distinct lack of diversity, pointing towards a centralized operation.
Their investigation highlighted that the malware’s command servers are clustered within specific hosting networks, often using consistent domain registration patterns via providers like Tucows and nameservers from Njalla.
This operational security failure has provided researchers with valuable indicators to track the threat. By analyzing these patterns, security teams can better identify and block communication attempts between infected devices and the attacker’s infrastructure.
Evasion and Communication Tactics
A closer examination of DigitStealer’s technical behavior reveals a complex mechanism designed to evade detection and analysis.
The malware communicates with its C2 server through four specific API endpoints—/api/credentials, /api/grabber, /api/poll, and /api/log—handling tasks such as credential exfiltration and file uploads.
To prevent security researchers from easily probing these servers, the malware implements a cryptographic challenge-response system. Before the server issues any commands, it sends a unique “challenge” string and a complexity level to the infected client.
Example request to a DigitStealer C2 containing the cryptographic challenge (Source – Cyber and Ramen)
The malware must solve this computational puzzle by hashing the challenge string with a generated number to match a specific pattern. Only after successfully solving this challenge does the server grant a valid session token.
This anti-analysis feature ensures that automated scanners cannot easily interact with the command server.
Furthermore, the malware sends the hardware UUID of the system hashed with MD5 to the C2, creating a recognizable digital fingerprint for defenders to actively monitor and analyze.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post DigitStealer Gains Attention as macOS-Targeting Infostealer Exposes Key Infrastructure Weaknesses appeared first on Cyber Security News.
