Hackers Use Weaponized DMG Files to Target macOS Users With Infostealer Malware

Hackers are using weaponized DMG files to target macOS users with infostealer malware, exploiting the long-standing myth that Apple devices are safe from cyber threats. These attacks rely on fake software installers disguised as legitimate apps, tricking users into handing over access without raising any alarm. The speed of these campaigns has made them one of the most pressing threats to Mac users today.

For decades, many Mac users believed their systems were safe by default. That assumption no longer holds. In 2025, over 65% of newly reported macOS malware was classified as infostealers, a sign that attackers now treat Apple environments as high-value targets. Credentials, browser cookies, authentication tokens, and crypto wallets are all fair game.

What sets these infostealers apart is how fast they move. They skip persistence entirely and do not plant themselves on the machine to survive a reboot. Instead, they run a smash-and-grab, pulling sensitive data and sending it off to a remote server before the victim notices. Analysts at Huntress said in a report shared with Cyber Security News that they identified this pattern and the attackers have shifted focus almost entirely to social engineering the installation moment.

Because the malware does not need to linger, the real battleground is that first installation step. Attackers invest heavily in making fake installers look exactly like the real thing, complete with branded graphics and instructions guiding victims to bypass Apple's built-in protections. The infection chain typically starts in a web browser, where users land on poisoned search results or piracy forums. One wrong click is all it takes.

The choice of DMG as a delivery format is deliberate. Compared to package (.pkg) files, disk images require less formal signing and attract far less scrutiny from macOS security checks. When a user double-clicks a DMG, macOS mounts it as a virtual drive at /Volumes, keeping its contents isolated. That isolation means very little once the attacker has the user's cooperation.

A legitimate DMG shows a familiar drag-to-Applications prompt. A malicious one looks identical but includes instructions on how to override Gatekeeper, Apple's tool for verifying trusted software. Those instructions are embedded in the background image of the folder window, easy to miss as suspicious. This technique is used by infostealer families including AMOS, Poseidon, Odyssey, and MacSync.

Attackers have also found variations on this approach. In some cases, bypass instructions are encoded directly into the filename itself, such as naming the file "Drag to Terminal". Piracy sites distribute software labeled "cracked," pre-conditioning users to treat all security warnings as normal.

Most endpoint tools wait for malware to execute before flagging anything. By that point, the theft is already done and stolen data is leaving the machine. Catching the attack before the user clicks past the installer is what makes the difference. Detection at the mount stage involves monitoring virtual disk images in /Volumes, scanning for hidden .background directories, and reading text from installer graphics using optical character recognition. Fuzzy matching also catches intentional misspellings attackers use to evade keyword filters.

When a suspicious installer is flagged, the immediate step is to unmount the disk image and stop any associated processes. If the user has already moved forward, the focus shifts to downstream behavior such as Keychain access or privilege escalation. Security awareness is a critical line of defense, since the whole attack depends on a human manually approving something they should not. Users should avoid downloading software from unofficial sources or cracked forums. Any installer asking you to drag a file into Terminal or approve unknown software in System Settings is a red flag worth taking seriously.