DigitStealer’s expanding command-and-control (C2) footprint is exposing more of its backend than its operators likely intended, giving defenders fresh opportunities to track and block new infrastructure linked to the macOS‑targeting infostealer.
Unlike many popular stealers, it does not expose a web panel for affiliates, strongly suggesting a closed-operation rather than a broad malware‑as‑a‑service (MaaS) offering.
Subsequent reports from vendors such as Moonlock and Microsoft, along with frequent IOC sharing on X, show DigitStealer being delivered via trojanized macOS applications like “DynamicLake,” often packaged as deceptive disk images that impersonate legitimate productivity tools.
First documented in mid‑November 2025 by Jamf Threat Labs ,DigitStealer is a macOS infostealer that focuses on Apple Silicon systems, especially M2‑class devices, and targets 18 cryptocurrency wallets, browser data, and macOS keychain entries.
After installation, the malware runs a multi‑stage chain of payloads, establishes persistence via a Launch Agent, and polls its C2 every 10 seconds for new AppleScript or JavaScript tasks, effectively acting as a long‑lived backdoor on compromised Macs.
C2 Behavior Exposes Infrastructure Fingerprint
At the network layer, DigitStealer communicates with four key endpoints on its C2 servers: /api/credentials for stolen credentials, /api/grabber for file uploads, /api/poll for backdoor tasking, and /api/log for additional telemetry and logging.
Before issuing commands, the C2 server paths enforces a cryptographic challenge‑response step in which the server provides a unique challenge string and a complexity level, requiring the malware to compute a value that, when hashed with the challenge, matches a specific pattern to obtain a valid session token.
The malware also sends the system’s hardware UUID hashed with MD5, giving defenders a stable artifact to hunt for in outbound traffic and C2 logs.
Researchers have demonstrated that simply issuing HTTP or HTTPS requests to these API paths and inspecting JSON responses for fields like “challenge” and “complexity” is an effective way to verify suspected DigitStealer infrastructure, especially when combined with WHOIS checks for recurring registrar and nameserver patterns.
New analysis of DigitStealer samples and open source reports has uncovered additional C2 domains such as diamondpickaxeforge[.]com, ebemvsextiho[.]com, bottleneckid[.]com, booksmagazinetx[.]com, goldenticketsshop[.]com, and fixyourallergywithus[.]com, many of which were first highlighted by independent X researchers tracking the campaign.
These domains share a consistent infrastructure profile: they almost exclusively use the .com TLD, terminate HTTPS on nginx over port 443, and frequently sit behind Let’s Encrypt‑issued TLS certificates.
IP‑level views via threat‑hunting platforms show these domains clustering on a single hosting provider, the Ab Stract Ltd network in Sweden, with multiple C2s resolving to adjacent addresses inside the same ASN.
Across this cluster, analysts observed repeating SSH banners such as OpenSSH 9.6p1 and later variants on Ubuntu, further tightening the linkage between servers and suggesting a templated deployment process.
Registration Patterns to Centralized Operation
Domain registration records provide another layer of commonality: most DigitStealer‑linked domains are registered via Tucows, with a minority outlier or two tied to other registrars that do not fit the prevailing pattern.
Regardless of TLD choice, the domains consistently rely on Njalla nameservers, a legitimate provider that has nonetheless frequently appeared in infrastructure supporting ransomware and other malware campaigns.
Timeline analysis indicates that the operators tend to register domains in tight batches aligned to specific campaigns, with one wave observed from mid‑2025 into late 2025 and another beginning in early 2026, consistent with coordinated infrastructure rollouts.
Taken together single ASN, repeated web and SSH stacks, Tucows registrations, Njalla nameservers, and predictable API behavior the evidence favors DigitStealer being run by a single actor or a small, tightly coordinated team rather than a sprawling affiliate ecosystem.
By combining simple queries over IP metadata (ASN, TLS, server headers, SSH versions) with active checks to the known DigitStealer API paths, defenders can build practical detection logic to uncover both reported and previously unknown C2 servers following this fingerprint.
While some domains identified in recent investigations are already offline or dormant, many still resolve or will likely be repurposed, making proactive blocking and monitoring of these patterns an effective way to “burn” infrastructure before it can be fully weaponized against macOS users.
Indicators of Compromise
| IP Address | Domain | ASN |
| 80.78.30[.]90 | beetongame[.]com | ab stract ltd |
| 80.78.25[.]205 | binance.comtr-katilim[.]com yourwrongwayz[.]com chiebi[.]com |
ab stract ltd |
| 80.78.30[.]191 | tribusadao[.]com theinvestcofund[.]com cekrovnyshim[.]com |
ab stract ltd |
| 80.78.30[.]146 | ebemvsextiho[.]com th6969[.]top |
ab stract ltd |
| 80.78.22[.]140 | flowerskitty[.]com | ab stract ltd |
| 80.78.22[.]131 | ironswordzombiekiller[.]com siriustimes[.]info siriustimes[.]rocks bchat[.]cc red-letter[.]org |
ab stract ltd, bchat[.]cc – Immaterialism |
| 80.78.31[.]72 | rompompomsigma[.]com | ab stract ltd |
| 80.78.27[.]104 | diamondpickaxeforge[.]com | ab stract ltd |
3 Comments