A Python in Disguise: PyInstaller Malware Targets macOS
By Peter Hallen
In May 2025, Jamf Threat Labs revealed a new technique used by attackers to deploy infostealer malware on macOS: leveraging PyInstaller to bundle malicious Python code into Mach-O executables. This marks the first time such a method has been observed in the wild for macOS infostealers, signaling a new chapter in the ongoing arms race between attackers and defenders on Apple platforms.
"Attackers are using PyInstallers to deploy infostealers on macOS. Jamf Threat Labs investigates this newly discovered technique."
— Jamf Threat Labs, May 12, 2025
What is PyInstaller and Why Does It Matter?
PyInstaller is a legitimate open-source tool that allows developers to package Python scripts into standalone binaries. This is especially useful on modern macOS systems, where Apple has removed the system-installed Python interpreter. However, this convenience is now being abused by threat actors to deliver malware that runs seamlessly on both Intel and Apple Silicon Macs—without requiring Python to be installed.
Anatomy of the Attack
Jamf's analysis began with a suspicious Mach-O binary named stl found on VirusTotal. The malware exhibited classic infostealer behaviors, such as:
- Prompting users for their password via deceptive AppleScript dialogs
- Resetting AppleEvents permissions
- Executing AppleScript payloads
- Communicating with suspicious remote domains
Static analysis revealed that the binary was ad-hoc signed and contained clear indicators of PyInstaller packaging. The Mach-O executable, when run, extracts a temporary directory containing Python bytecode and libraries, then launches the embedded Python interpreter to execute the malicious logic.
Dynamic Analysis and Payload Extraction
Upon execution, the malware unpacks its payload into a temporary directory and begins its data collection activities. Notably, the malware:
- Attempts to harvest user credentials via fake password prompts
- Executes arbitrary AppleScript from attacker-controlled servers
- Dumps credentials from the macOS Keychain
- Searches for and exfiltrates cryptocurrency wallet keys
To analyze the malware further, Jamf used open-source tools like Pyinstxtractor and PyLingual to extract and decompile the embedded Python bytecode. The code was heavily obfuscated using string reversal, base85 encoding, XOR encryption, and zlib compression, but ultimately revealed its true infostealer nature.
Why This Matters
This campaign demonstrates how attackers are adapting to platform changes (like the removal of system Python) and using legitimate tools for malicious purposes. By packaging malware with PyInstaller, they can evade some traditional detection mechanisms and ensure compatibility across macOS architectures.
Defensive Recommendations
- Endpoint Monitoring: Use tools that can detect suspicious process behaviors, such as unexpected AppleScript execution or credential prompts.
- User Awareness: Educate users about the risks of entering passwords into unexpected dialogs.
- Binary Inspection: Check for ad-hoc signed binaries and the presence of PyInstaller artifacts in suspicious files.
- Threat Intelligence: Stay updated on the latest macOS malware trends and indicators of compromise.
Conclusion
As macOS becomes a more attractive target, attackers will continue to innovate. The use of PyInstaller to deliver infostealers is a reminder that defenders must remain vigilant and adapt to new techniques as they emerge.
For a detailed technical breakdown, read the full article by Jamf Threat Labs:
https://www.jamf.com/blog/pyinstaller-malware-jamf-threat-labs/?utm_source=tldrinfosec