Cybersecurity experts have recently uncovered a new breed of information-stealing malware that leverages legitimate development tools to evade detection.
The malware, discovered in April 2025, represents a sophisticated advancement in tactics used by threat actors targeting Apple systems, as it successfully remained undetected on popular scanning platforms for months.
The attackers are employing PyInstaller, an open-source utility designed to package Python applications into standalone executables, to bundle malicious code into seemingly innocent Mach-O binaries.
This method is particularly effective since macOS 12.3 removed system-installed Python, making PyInstaller a valuable tool for legitimate developers and malicious actors alike who need their Python-based applications to run seamlessly across different macOS environments without dependencies.
Jamf Threat Labs researchers identified multiple fully undetected infostealer samples on VirusTotal, with the earliest submission dating back to January 2025.
According to the security team’s analysis, this marks the first documented case of PyInstaller being used specifically for deploying infostealers on macOS systems.
The technique allows attackers to execute sophisticated Python-based payloads on target machines without requiring a native Python installation.
The uncovered malware exhibits classic infostealer behavior but with enhanced stealth capabilities.
Upon execution, it creates an AppleScript dialog to harvest user credentials, manipulates system settings, and establishes communication with command-and-control servers.
What makes this threat particularly dangerous is its ability to extract saved credentials directly from the macOS Keychain while simultaneously targeting cryptocurrency wallets for financial theft.
When examining the FAT binary architecture of these malicious files, researchers found an interesting detail: the arm64 slice of the Mach-O file significantly outweighs the Intel slice (8MB versus 70KB), with the PyInstaller archive embedded near the end of the arm64 portion.
This structure ensures the malware can execute properly across different Mac processor architectures while maintaining its deceptive nature.
.webp)
The technical analysis of the malware reveals sophisticated obfuscation techniques employed to hide its true nature.
.webp)
When unpacked and decompiled using specialized tools like Pyinstxtractor and PyLingual, researchers discovered multiple layers of protection including:-
= lambda : __import__('zlib').decompress(bytes((x ^ 188 for x in
__import__('base64').b85decode(_[::-1]))))This code snippet demonstrates how the malware authors combined string reversal, base85 encoding, XOR encryption (with key 188), and zlib compression to conceal the malicious payload.
When reversed, the code reveals the original Python script, including instructions for building the PyInstaller binary, further confirming the attacker’s methodical approach.
Dynamic analysis through tools like Mac Monitor exposed the malware’s behavior without obvious signs of Python execution.
Instead, environment variables like _PYI_APPLICATION_HOME_DIR, _PYI_ARCHIVE_FILE, and _PYI_PARENT_PROCESS_LEVEL revealed the PyInstaller framework operating behind the scenes.
During execution, the malware unpacks its bundled Python libraries into a temporary directory that exists only for the lifetime of the process, leaving minimal evidence on the filesystem.
When researchers modified the final line of the deobfuscated script to print rather than execute the payload, they uncovered the true functionality: credential harvesting through fake password prompts, execution of remote AppleScript commands, systematic extraction of Keychain contents, and targeted collection of cryptocurrency wallet data – all designed to exfiltrate valuable user information without detection.
As this technique continues to evolve, security professionals recommend heightened vigilance around unsigned Mach-O executables, particularly those triggering unexpected password prompts or unusual system behavior.
Organizations should implement advanced monitoring for PyInstaller-related artifacts and suspicious environment variables that might indicate this increasingly popular attack vector.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Account Takeover Protection Tools in 2025")
