Attackers are weaponizing macOS Disk Image (DMG) files to deliver infostealer malware at scale, exploiting the persistent myth of Apple platform immunity and relying on social engineering to bypass Gatekeeper protections.
The Shift to Smash-and-Grab Tactics
In 2025, over 65% of newly reported macOS malware was classified as infostealers, signaling that threat actors now treat Apple environments as high-value targets. Credentials, browser cookies, authentication tokens, and cryptocurrency wallets are all at risk.
Unlike traditional malware, modern macOS infostealers skip persistence entirely. They do not install themselves for long-term access or survive a reboot.
Instead, they execute a rapid smash-and-grab, exfiltrating sensitive data to a remote server before the victim realizes anything is amiss. Analysts at Huntress identified this pattern, noting that attackers have shifted focus almost entirely to social engineering the initial installation moment.
Why DMG Files Are the Preferred Vector
The choice of DMG as a delivery format is deliberate. Compared to package (.pkg) files, disk images require less formal signing and attract far less scrutiny from macOS security checks.
When a user double-clicks a DMG, macOS mounts it as a virtual drive at /Volumes. That isolation offers no real protection once the user cooperates with the installer.
Malicious DMG files appear identical to legitimate ones, complete with branded graphics and a familiar drag-to-Applications prompt. However, the background image of the folder window contains instructions on how to override Gatekeeper, Apple’s trusted software verification tool.
This technique is used by infostealer families including AMOS, Poseidon, Odyssey, and MacSync. Attackers have also encoded bypass instructions directly into filenames, such as “Drag to Terminal,” or distributed “cracked” software on piracy sites to pre-condition users into dismissing security warnings.
Detection and Mitigation Strategies
Most endpoint detection tools wait for malware to execute before flagging suspicious activity. By that point, data theft is already underway.
Catching the attack before the user clicks past the installer is critical. Detection at the mount stage involves monitoring virtual disk images in /Volumes, scanning for hidden .background directories, and using optical character recognition to read text from installer graphics. Fuzzy matching also catches intentional misspellings attackers use to evade keyword filters.
When a suspicious installer is flagged, the immediate step is to unmount the disk image and stop any associated processes. If the user has already moved forward, focus shifts to downstream behaviors such as Keychain access or privilege escalation.
Security awareness remains a critical line of defense, as the entire attack depends on a human manually approving something they should not. Users should avoid downloading software from unofficial sources or cracked forums. Any installer asking to drag a file into Terminal or approve unknown software in System Settings is a clear red flag.
What This Means for Enterprise Security
The rise of weaponized DMG files marks a fundamental shift in macOS threat modeling. The battleground is no longer about preventing execution — it is about preventing installation. Organizations must treat macOS endpoints with the same rigor as Windows environments, deploying behavioral detection at the mount stage and enforcing strict software sourcing policies. The myth of Apple’s inherent security is not just outdated; it is a liability.
— Originally reported by Cyber Security News. Adapted and republished with editorial context for MacThreat.
![Apple adds new CVE details to several macOS, iOS, iPadOS, visionOS, and watchOS updates [U]](https://macthreat.com/wp-content/uploads/2026/05/apple-adds-new-cve-details-to-several-macos-ios-ipados-visio-1779854592-330x220.jpg)
