If you have ever hunted down a free copy of paid Mac software, attackers are counting on it. Researchers at Huntress detail how cybercriminals are disguising data-stealing malware as ordinary macOS apps, then using slick on-screen instructions to walk victims through disabling Apple's own security, in what has become the dominant way infostealers land on Macs.
The myth that Macs are immune to malware is long dead, Huntress notes. In 2025, more than 65 percent of newly reported macOS malware was classified as infostealers, programs built to grab credentials and data. What makes these Mac stealers unusual is that most do not bother to survive a reboot. They run a pure smash-and-grab: land on the machine, harvest saved passwords, browser cookies, authentication tokens, and cryptocurrency wallets, and ship the whole haul to a command-and-control server before the victim notices. Because they work in seconds, persistence is not worth the effort, so attackers pour their energy into the one step that matters, tricking the user into installing the thing.
How the attack works
The infection usually starts in a web browser. Attackers poison search results through SEO manipulation or seed links across torrent sites and cracked-software forums, so a victim downloads what looks like a genuine installer, often a fake of a popular app such as the Arc browser. Mac software typically ships as either a package (.pkg) or a disk image (.dmg). Packages require formal developer signing and face strict scrutiny, so attackers overwhelmingly favor the simpler .dmg.
When a victim opens the malicious disk image, they do not see normal app files. Instead they get a polished, branded background graphic with step-by-step instructions on exactly how to get past Gatekeeper, Apple's built-in check that blocks unsigned, un-notarized software. The malware does not exploit code, it exploits the person at the keyboard.
The bypass tricks
Huntress describes several variants. The most common embeds a background image telling the user to right-click and override Gatekeeper, a pattern used by stealer families including AMOS, Poseidon, Odyssey, and MacSync. A twist tells the user to drag the file into Terminal, which auto-fills the path to the malware so that pressing Enter launches it. Other variants hide the instructions in the filename itself (for example, naming a file Drag to Terminal) or lean on cracked-software branding such as TNT or CRACKED to convince users that bypassing notarization is normal. As Apple has tightened Gatekeeper, attackers have simply rewritten their instructions to match.
What you should do
Only install Mac software from official vendor sites or the App Store, and treat free or cracked versions of paid apps as hostile. Be deeply suspicious of any download that instructs you to right-click to open, paste a path into Terminal, or otherwise work around a macOS security warning, because legitimate software never needs you to do that. Read the original Huntress analysis for detection guidance.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.