Mac Password‑Stealing Malware Poses as Apple, Google, and Microsoft Login Screens

Last week, a handful of security analysts at SentinelOne stumbled onto something that felt oddly familiar—yet unmistakably new. A piece of macOS malware, now being tracked under the name OSX/PhantomKey, has been masquerading as official login prompts from Apple, Google and Microsoft. The goal? Simply to coax a password out of anyone who happens to click the bogus dialog.

At first glance, the pop‑ups look almost exactly like the real thing. The Apple dialog carries the iconic silver‑blue background and the “Sign in with your Apple ID” headline; the Google window mimics the clean white layout you see on any Chrome login page; and the Microsoft prompt mirrors the familiar Office 365 sign‑in box. The creators have clearly spent time copying the visual details, down to the font choices and even the subtle animation when the window appears.

What makes this campaign stand out, though, is the way the malware delivers those fake windows. Instead of a classic phishing email, the malicious code is bundled inside a seemingly innocuous DMG file titled “macOS Security Update.dmg”. The file pretends to be an Apple‑issued patch—complete with a fake Apple logo and a short note about “critical security fixes”. Once a user double‑clicks the installer, a hidden AppleScript runs in the background, waiting for a moment when the user is likely to be at the computer, then popping up one of the three credential‑stealer dialogs.

When a victim dutifully enters their username and password, the script silently writes the data to a hidden file in the user’s Library folder. From there, the information is exfiltrated over HTTPS to a command‑and‑control server located in Eastern Europe. The whole process happens in a matter of seconds, leaving little trace for the average user.

SentinelOne’s researchers say they’ve observed at least 1,200 infections across North America and Europe so far, though the true number is likely higher. Most of the victims appear to be everyday consumers who downloaded the fake update after seeing a social‑media post warning about “a new macOS vulnerability”. A few small businesses were also caught off guard, which is concerning because once a credential is compromised, attackers can move laterally into corporate accounts tied to the same Apple ID or Microsoft 365 subscription.

Apple’s security team has already issued a statement acknowledging the issue, urging users to only install updates through the official System Settings > Software Update pane. They also recommend enabling two‑factor authentication on all Apple IDs, Google accounts, and Microsoft services—a step that would render the stolen passwords largely useless without the second factor.

In the meantime, the best defence is a mix of vigilance and a quick software check. If you’ve recently installed a file named “macOS Security Update.dmg” from an unknown source, delete it immediately and run a full scan with a reputable macOS‑compatible antivirus tool. Updating to macOS Ventura 13.5.2 (or later) also patches a related vulnerability that the malware exploits to gain the necessary privileges for the AppleScript to execute.

So, what can you do right now? First, review any recent login prompts you’ve seen—did they appear out of the blue, without a clear reason? Second, head over to System Settings and verify that your macOS version is up to date. Third, consider reviewing your saved passwords in the Keychain app to make sure nothing looks out of place.

As always, the adage “if it sounds too good to be true, it probably is” applies. A sudden “critical security update” that lands in your Downloads folder should raise eyebrows. When in doubt, skip the click, go directly to Apple’s website, and let the operating system handle the update.

In the grand scheme, this isn’t the first time we’ve seen attackers borrow the visual identity of big tech companies to steal credentials. What is new is the level of polish and the fact that it targets macOS—historically a less‑frequent playground for such credential‑stealers. It’s a reminder that no platform is immune, and that user education remains a crucial line of defense.