2025, the year of the Infostealer

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostealer/
• Blog Title: 2025, the year of the Infostealer
• Suggested Section: macOS Security & Privilege Escalation -> macOS Auto Start (LaunchDaemons/LaunchAgents) and/or Phishing Methodology -> Clipboard Hijacking / one-liner execution lures; plus a note in macOS post-exploitation about dscl -authonly password validation + sudo -S reuse and xattr -c quarantine removal

🎯 Content Summary

Pentest Partners describes why infostealers accelerated in 2025 (fastest-growing malware category) and provides a DFIR walk-through of a real macOS infostealer intrusion that succeeded in collecting and staging data but failed to exfiltrate due to network egress controls.

1) Why infostealers scaled in 2025 (tradecraft vs. CVEs)
The post highlights that these intrusions commonly do not require memory corruption or a CVE: the primary “exploit” is user-driven execution (s...

🔧 Technical Details

User-execution initial access (no CVE): deliver a “normal-looking” terminal one-liner (installer/bootstrapper) via a lookalike site (e.g., spoofed Homebrew) and force a UI “Copy” button so victims can’t manually inspect the full pasted text; append hidden payload logic such as a base64-encoded command after the legitimate-looking command to trigger stage-1 execution.

macOS password capture + validation trick: repeatedly prompt for the user’s password and validate correctness locally with dscl . -authonly ...; once validated, save it (e.g., /tmp/.pass) and reuse it for non-interactive privileged actions with sudo -S (password via stdin), enabling follow-on steps like clearing quarantine attributes (xattr -c <file>), permission changes (chmod +x), execution of a downloaded stage, and installation of system-wide persistence.

Anti-sandbox evasion: query host hardware/memory with system_profiler</...

🤖 Agent Actions

Summary:

• Added macOS credential-harvesting privesc pattern (dscl . -authonly + sudo -S reuse, Gatekeeper xattr clearing) to macOS privilege escalation and documented detection cues.
• Documented LaunchDaemon persistence flow leveraging stolen sudo passwords (plist copy, root:wheel ownership, launchctl load, nohup agent) plus references in macOS autostart locations.
• Added macOS anti-VM/sandbox check snippet using system_profiler and exit code 100 to macOS useful commands with references.
• Expanded clipboard hijacking playbook with forced-copy macOS one-liners carrying hidden Base64 payloads and updated references.

Tests:

• Not run (documentation changes only).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostealer/

Content Categories: Based on the analysis, this content was categorized under "macOS Security & Privilege Escalation -> macOS Auto Start (LaunchDaemons/LaunchAgents) and/or Phishing Methodology -> Clipboard Hijacking / one-liner execution lures; plus a note in macOS post-exploitation about dscl -authonly password validation + sudo -S reuse and xattr -c quarantine removal".

Repository Maintenance:

• MD Files Formatting: 936 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0