Jamf Threat Labs has identified a new technique where attackers use PyInstaller to bundle Python-based infostealers into Mach-O executables on macOS. This method allows malware to run without requiring a native Python installation, while employing various obfuscation tactics to evade detection. The analysis includes dynamic and static examination of these malicious binaries, revealing behaviors consistent with infostealer activity.