By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SentinelOnePublished October 17, 2025

TL;DR: macOS infostealers including KeySteal, Atomic InfoStealer and CherryPie continue to evade static signatures and some VirusTotal detections, while using anti-analysis checks, persistence and stolen Keychain access to stay active, according to SentinelOne. Signature-only defence is now an incomplete control for endpoints that store credentials and session material.


At a glance

What this is: SentinelOne reports that active macOS infostealers are still evading static signatures while using persistence, anti-analysis checks and Keychain theft to retain access.

Why it matters: This matters because macOS endpoints often hold credentials, tokens and browser sessions, so weak detection and delayed response can expose both human and non-human identity assets.

By the numbers:

👉 Read SentinelOne's analysis of active macOS infostealers and evasion tactics


Context

macOS infostealers are a detection and governance problem, not just a malware family problem. When endpoint controls depend too heavily on static signatures, attackers can keep stealing browser data, Keychain material and session artefacts even after defensive updates land. For identity programmes, that creates a direct path from endpoint compromise to account takeover, token replay and downstream access abuse.

The identity angle is real here because stolen local credentials often become the bridge into IAM, SaaS and NHI-adjacent systems. Once an attacker has a user’s browser-stored secrets, device trust and credential lifecycles become the next control layer, not the endpoint alone. That is typical of modern stealer-driven intrusion chains, not an edge case.


Key questions

Q: What breaks when macOS infostealers evade static signature detection?

A: Static detection fails when the malware family changes packaging, code paths or signatures faster than defenders can update rules. The practical failure is that the host remains trusted long enough for attackers to steal Keychain data, browser secrets and other credentials before containment starts. Behavioural telemetry and response depth become essential.

Q: Why do macOS infostealers create identity risk beyond the endpoint?

A: Because the stolen material is often reusable identity material, not just local files. Browser sessions, tokens and saved passwords can unlock SaaS, cloud and admin access, turning a workstation compromise into account compromise. That is why identity lifecycle and session control must be part of endpoint response.

Q: How do security teams know if macOS stealer defences are actually working?

A: They should look for reduced dwell time, faster isolation of suspicious hosts and fewer successful credential reuses after an endpoint alert. If an infected device still leads to valid cloud logins, the controls are not limiting blast radius. Metrics should track both detection quality and identity fallout.

Q: Who is accountable when stolen macOS credentials are reused elsewhere?

A: Accountability usually spans endpoint security, identity governance and the application owners who trust the exposed credentials. If a user laptop can produce valid tokens for cloud systems, then control owners must jointly manage revocation, reauthentication and access scope. NIST CSF and access-control governance are both relevant.


Technical breakdown

Static signature detection vs malware variants on macOS

Static signatures match known byte patterns, hashes or simple rules. They work best against stable malware, but infostealers such as KeySteal and Atomic are being rebuilt, repackaged and renamed so the same family no longer looks identical on disk. That breaks a common assumption in endpoint defence: that one detection update closes the problem. On macOS, signed bundles, ad hoc signatures and renamed binaries can all reduce the visibility of signature-only controls. Practical hunting therefore needs behaviour, not just known-bad indicators.

Practical implication: add behaviour-based detections and threat hunting around suspicious macOS binary execution, not just signature feeds.

Keychain theft and credential harvesting on Apple endpoints

macOS Keychain is a high-value store because it can hold passwords, tokens and application secrets in a form usable by the logged-in user and by malware running in that context. Infostealers target it because one local compromise can yield multiple downstream identities, including cloud sessions and service credentials. If the attacker also collects browser data, the breach can extend beyond a single app into federated login flows, saved secrets and session replay. That turns an endpoint compromise into identity compromise with a much larger blast radius.

Practical implication: treat macOS credential stores as part of the identity attack surface and monitor for post-exfiltration account abuse.

Persistence, anti-analysis and why analysts still miss active samples

Persistence on macOS often uses LaunchAgents or LaunchDaemons so malware survives reboots and starts with user or system context. Anti-analysis features such as virtual machine checks, terminal blocking and low-noise execution are designed to slow sandboxing and manual review. That matters because detection lag gives the attacker time to collect credentials and maintain footholds before defenders can isolate the host. If samples are distributed through disguised installers, signed bundles or repackaged apps, user trust also becomes part of the attack path.

Practical implication: validate macOS persistence locations and anti-analysis indicators in incident response playbooks and hunt rules.


Threat narrative

Attacker objective: The attacker wants durable access to credentials, sessions and downstream identity systems that can be reused after the initial macOS compromise.

  1. Entry occurs when the victim runs a disguised macOS installer or bundled application that delivers the stealer payload.
  2. Credential access follows as the malware pulls Keychain material, browser data and other stored secrets from the endpoint.
  3. Persistence and escalation are reinforced through LaunchAgents or LaunchDaemons, letting the malware survive reboots and continue harvesting.
  4. Impact is account compromise, session reuse and follow-on access into cloud and SaaS environments that trust the stolen credentials.

NHI Mgmt Group analysis

Signature-only endpoint defence is no longer a defensible assumption for macOS identity risk. These stealer families show how quickly malware authors can move around static rules while keeping the same underlying objective: credential theft. The problem is not just malware churn, it is that endpoint compromise now feeds directly into identity abuse. Practitioners should treat detection depth as part of identity governance, not only endpoint operations.

Credential theft on macOS is an NHI governance issue as much as a user compromise issue. Browser secrets, session cookies and locally stored tokens often bridge from a human workstation into SaaS and cloud workloads, including service accounts and automation flows. That means one infected laptop can become the origin point for NHI misuse if secrets are reused or poorly scoped. The practitioner conclusion is simple: credential custody and device custody need to be governed together.

Persistence mechanisms matter because they extend the credential exposure window. LaunchAgents and LaunchDaemons convert a one-time infection into repeated opportunities for harvesting and replay. That widens the time available for attackers to move from local access to cloud access. Teams should think in terms of dwell-time reduction and blast-radius control, not just malware removal.

macOS threat hunting should be organised around behaviour clusters, not family names. The article shows a common pattern across distinct stealer variants: disguised packaging, anti-analysis checks, persistence, and hardcoded infrastructure. Family-specific signatures will always lag if the actor can swap code paths and packaging. Practitioners should build detections around the common mechanism, because the mechanism is what survives the rebrand.

Named concept, credential-to-session spillover: this is the point where stolen local secrets become active identity material in cloud and SaaS environments. Once that spillover happens, the victim’s endpoint is no longer the main problem, the account and its access scope are. Teams should prioritise controls that break the chain between endpoint theft and reusable identity artefacts.

What this signals

Credential-to-session spillover is the operational problem teams should prepare for. Once a stealer extracts browser or Keychain material, the next control point is not malware cleanup alone, it is revocation, reauthentication and access scoping across SaaS and cloud services. Teams that have not connected endpoint incident response to identity workflows will continue to see compromise propagate beyond the laptop.

macOS defenders should expect more samples that trade signature stability for behavioural stealth. That means hunt coverage, EDR tuning and credential monitoring need to be designed as a single programme, with clear escalation paths into IAM and PAM when session material is exposed. The practical outcome is lower dwell time and fewer reusable secrets left in circulation.


For practitioners

  • Harden macOS telemetry around credential stores Instrument access to Keychain, browser profile stores and suspicious AppleScript execution so investigations can tie local activity to credential access. Correlate those signals with outbound connections to identify when a host is being used to harvest secrets rather than simply running an unwanted app.
  • Hunt persistence in LaunchAgents and LaunchDaemons Baseline the normal contents of /Library/LaunchDaemons and ~/Library/LaunchAgents, then alert on unexpected plist creation, renamed binaries and ad hoc signed executables. These locations are frequently used to keep stealer payloads resident after reboot.
  • Move beyond static signatures on macOS Add behaviour-based controls for VM detection, terminal blocking, Gatekeeper tampering and low-reputation binaries in addition to XProtect and AV signatures. Build detections that trigger when malware attempts to evade sandboxing or execute with suspicious installer patterns.
  • Contain identity fallout after endpoint compromise Reset exposed browser sessions, revoke active tokens and rotate credentials that may have been stored locally on the affected device. Prioritise accounts with access to cloud consoles, SaaS admin panels and automation tooling because those are the most likely reuse targets.

Key takeaways

  • macOS infostealers are bypassing static detection because the malware changes faster than signature updates can keep up.
  • The main security impact is identity abuse, since stolen Keychain data and browser secrets can be reused across cloud and SaaS systems.
  • Teams need behaviour-based detection, persistence hunting and identity revocation workflows to shrink the attacker's usable window.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0003 , Persistence; TA0005 Defense EvasionThe article centres on credential theft, persistence and evasion by macOS stealer families.
NIST CSF 2.0DE.CM-7Continuous monitoring is needed because signature-only controls are missing active samples.
NIST SP 800-53 Rev 5SI-4System monitoring supports detection of malicious code, suspicious persistence and exfiltration behaviour.
CIS Controls v8CIS-8 , Audit Log ManagementAudit and telemetry are required to spot credential theft and post-exploitation activity.
OWASP Non-Human Identity Top 10NHI-03Stolen secrets often feed non-human identity abuse through reused tokens and credentials.

Review NHI secret handling so endpoint theft cannot easily expose reusable machine credentials.


Key terms

  • macOS infostealer: A macOS infostealer is malware designed to extract credentials, session data and other valuable secrets from Apple endpoints. It typically targets browser stores, Keychain material and application data so the attacker can reuse identities beyond the infected device.
  • Keychain: Keychain is macOS's credential storage system for passwords, tokens and certificates. In a compromise, it becomes high-value identity material because malware running in the user's context may access secrets that can be replayed into cloud, SaaS or administrative systems.
  • LaunchAgent: A LaunchAgent is a macOS persistence mechanism that runs user-level tasks automatically at login or during a session. Attackers abuse it to keep malware resident, restart payloads after reboot and extend the time available for credential harvesting.
  • Ad hoc code signature: An ad hoc code signature is a basic macOS signing format that does not provide the trust benefits of a proper developer certificate. Malware authors use it to make binaries appear more legitimate while still evading weak controls that rely on simple trust cues.

What's in the full article

SentinelOne's full post covers the operational detail this post intentionally leaves for the source:

  • Indicators of compromise for KeySteal, Atomic InfoStealer and CherryPie that threat hunters can operationalise.
  • Sample naming, hash data and C2 detail for each stealer family.
  • AppleScript, Gatekeeper and LaunchAgent artefacts that help defenders build macOS detection logic.
  • Per-family behavioural notes that support incident response and malware triage.

👉 The full SentinelOne post covers malware artefacts, indicators of compromise and macOS-specific detection detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security and secrets management for practitioners building real control over reusable credentials. It helps identity and security teams connect endpoint compromise to access lifecycle decisions across their programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org