Evolving macOS Infostealers & Exploits
Key Questions
What techniques are SHub Reaper and AMOS infostealers using on macOS?
These campaigns abuse AppleScript, employ brand impersonation, and use advanced persistence methods to evade recent Apple protections. They focus on stealing credentials and data across platforms while avoiding behavioral detection.
How are older Apple devices still at risk despite recent updates?
Leaked exploit kits such as 'Coruna' and 'DarkSword' continue targeting devices on outdated iOS versions, even after iOS 26 sealed off many spyware vectors. Russian and Chinese operators are actively probing these older systems.
What macOS vulnerability allowed rogue apps to access sensitive data?
A now-patched flaw enabled malicious apps to reach chat and browser data on macOS. Researchers at Mysk disclosed the issue, which has since been addressed by Apple.
Why is Microsoft’s legacy MSHTA tool still relevant to malware?
Despite Internet Explorer's retirement, mshta.exe remains widely abused in malware campaigns for executing malicious scripts. It continues to appear in attacks targeting both Windows and cross-platform environments.
What detection improvements are needed against evolving infostealers?
Behavioral detection is increasingly required as attackers shift toward AppleScript abuse and brand impersonation tactics. Cross-platform theft campaigns are expanding, demanding more proactive monitoring beyond traditional signatures.
SHub Reaper/AMOS infostealers abuse AppleScript and persistence; CVE-2026-28910 sandbox bypass PoC for chat/browser data. Coruna/DarkSword target legacy iOS.