Jamf Threat Labs has identified a novel macOS infostealer that exploits PyInstaller, a legitimate open-source tool used to bundle Python scripts into standalone Mach-O executables.
This marks the first documented instance of PyInstaller being weaponized to deploy infostealers on macOS, highlighting a sophisticated evolution in the tactics of cybercriminals targeting Apple’s ecosystem.
Discovered in April 2025, with samples dating back to January 2025 on VirusTotal, these malicious executables bypass traditional detection mechanisms by leveraging the seamless execution capabilities of PyInstaller, which allows operation without a native Python installation-especially critical since Apple removed system Python in macOS 12.3 and later.
.png
)
New Threat Uncovered by Jamf Threat Labs
The primary sample, dubbed ‘stl’, is a Mach-O universal binary supporting both x86_64 and arm64 architectures, confirmed via static analysis with tools like codesign (revealing ad-hoc signing) and file.
Its PyInstaller roots are evident through specific strings like ‘_MEIPASS’ found using strings and grep, indicating an embedded archive extracted at runtime into a temporary ‘_MEIxxxxxx’ directory.
This directory houses Python bytecode (.pyc files), libraries, and shared dependencies, orchestrated by PyInstaller’s bootloader to execute malicious logic.
Dynamic analysis, aided by tools such as Red Canary Mac Monitor, exposed nefarious behaviors including AppleScript dialogs coercing user passwords, system volume muting, and data exfiltration to domains like grand-flash[.]com/connect.
Environment variables like ‘_PYI_APPLICATION_HOME_DIR’ further confirmed PyInstaller’s runtime extraction process.
Decompiling with tools like Pyinstxtractor and PyLingual unveiled obfuscated Python code employing string reversal, base85 encoding, XOR encryption, and zlib compression, hiding functions such as GetPasswordModal(), DumpKeychain(), and CollectCryptowallets()-all designed to harvest credentials and cryptocurrency assets.
Technical Dissection of the Malware’s Operations
The ingenuity of this attack lies in the structural manipulation of the FAT binary, where the PyInstaller archive resides solely in the arm64 slice (8MB) while the Intel slice (70KB) lacks it, rendering the latter non-functional without the full binary.
This stealth, combined with temporary file extraction and deletion during execution, complicates detection.
Jamf’s analysis underscores a growing trend of infostealers on macOS, as attackers continuously innovate to evade security.
By exploiting PyInstaller, they not only ensure cross-architecture compatibility but also reduce dependency on system resources, amplifying the threat’s reach and persistence.
As macOS becomes an increasingly lucrative target, such techniques signal a need for advanced endpoint monitoring and updated detection signatures to combat these obfuscated payloads.
Indicators of Compromise (IOCs)
| Filename | SHA1 Hash | Contacted Domains |
|---|---|---|
| stl | 35ce8d5817ab7a7c5be33ea03c3234181286fd61 | hxxps://grand-flash[.]com/connect, hxxp://vapotrust[.]com/mac/stl |
| stl-deobf.py | cd2ef119c9120ea56548f5cf0a3ff7d6ffc7613a | – |
| installer | 878dcf854287e1dae3d5a55279df87eb6bdf96b3 | hxxps://grand-flash[.]com/connect |
| sosorry | 90d33f249573652106a2b9b3466323c436da9403 | hxxp://138[.]68[.]93[.]230/connect, hxxp://138[.]68[.]93[.]230/Ledger-Live.dmg |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
