9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
Tired of hearing about DeepSeek yet? The China-based LLM chatbot beached itself onto the scene this week, dominating the tech news cycle and even taking #1 on the App Store, where it still sits as of writing. However, its rapid popularity has led to a wave of new phishing campaigns, investment scams, and macOS malware disguised as real DeepSeek applications. Here’s the latest.
You’re reading 9to5Mac Security Bite, where each week, I share insights on data privacy, discuss the latest vulnerabilities, and shed light on emerging threats within Apple’s vast ecosystem of over 2 billion active devices.
Cyble, a leading cybersecurity solutions firm, has kept tabs on several new scams cashing in on DeepSeek’s moment of fame. These include crypto scams, where cybercriminals are attempting to trick victims into scanning QR codes to compromise crypto wallets and even fake investment opportunities. I’ve also seen several seemingly legitimate-looking DeepSeek Mac installs with convincing file names, but there’s one problem: DeepSeek doesn’t offer a Mac app.
In addition to phishing and fake investment campaigns, cybercriminals are now distributing AMOS (or Atomic), one of macOS’s most prolific types of stealer malware, in DMG install files, posing as a DeepSeek Mac application. Unlike other stealers, AMOS is written in Apple’s programming language Swift and can run on different CPUs, including Intel and Apple Silicon. This, in addition to its clever distribution model, is what makes AMOS so successful. The malware authors offer it as a subscription service for $1,000 per month.
Fortunately, experts have done extensive dynamic and code-level analysis to understand how it works. When a user becomes infected, the malware will run scripts to establish a C2 server with the cybercriminals. This is used as a form of two-way communication with the victim’s Mac. Attackers will use it to issue commands and, more critically, to send extracted data back to them. This typically includes things like iCloud Keychain passwords, credit card information, sensitive files, browser-stored crypto wallet keys, etc.
Luckily, with the release of macOS Sequoia, Apple took a proactive step to help keep Joe Shmoes from executing malware on their Macs. Users on Sequoia can no longer control-click to override Gatekeeper and open software that isn’t signed or notarized by Apple. However, as I reported last year, hackers got around this by instructing users to drop the malicious code directly into the Terminal app.
That same technique is being used here with the fake DeepSeek apps.
Here’s how the attack works:
- The victim installs the malicious disk image file (DMG) image from website, email, etc
- The attacker instructs the victim to open Terminal and, instead of right-clicking to install, they are asked to drag and drop the “.file” directly into the Terminal window
- The seemingly harmless “DeepSeek.file” is, in fact, full of malicious Bash scripts. Once dropped into the Terminal, it triggers its execution and a bad day for the victim
DeepSeek only offers iOS and Android apps. Any application that prompts you to drop files into Terminal is malicious.
Further, as friendly advice, don’t download or engage with DeepSeek at all. The LLM chatbot is located in China and, therefore, has to adhere to Chinese laws, which include heavy censorship and complete and total access to all data. It’s a serious risk to your privacy and has the potential to fuel cyber-espionage campaigns against you in the future.
I am curious to hear your thoughts. Are you worried about DeepSeek’s privacy concerns?
More in Apple security
- DeepSeek privacy concerns have led to investigations being opened in both the US and Europe, and seen the app removed from the App Store in Italy. It seems likely the same will happen in other countries
- Security researchers have discovered two flaws present in all current iPhones, iPads, and Macs – as well as many earlier ones. The vulnerabilities, known as SLAP and FLOP, could potentially allow an attacker to see the current contents of your open web tabs
- A judge has limited FBI powers to trawl through data obtained from tech giants like Apple, Google, and ISPs under FISA (the Foreign Intelligence Surveillance Act)
- How hackers are still using Google Ads to spread malware. How, in 2025, can Google, with its DeepMind and deeper pockets, still allow this to happen?
Thank you for reading!
FTC: We use income earning auto affiliate links. More.
