MacStealer macOS Malware

MacStealer: Cross-Architecture macOS Info-Stealer Targeting Keychains, Wallets, and Browsers

MacStealer is a macOS-targeted info-stealer first discovered in early 2023, capable of extracting iCloud Keychain data, browser credentials, cookies, and crypto wallet information. It was among the first stealer malware tailored to support both Intel-based Macs and Apple’s M1/M2 chipsets, signaling growing attacker interest in Apple’s user base. MacStealer is distributed via phishing campaigns and trojanized app installers, luring users into running unsigned code under the guise of legitimate software.

Introduction to MacStealer

MacStealer takes aim at macOS users who are often less accustomed to dealing with malware, exploiting social engineering to gain execution and permissions. Once active, it scans for sensitive files, accesses browser storage and keychain content, and exfiltrates everything to a command-and-control server (C2). It reflects a rising trend of macOS stealers, which historically were rare compared to their Windows counterparts but are now increasingly common and dangerous.

---

1. How MacStealer Works

Infection Mechanism:
MacStealer is delivered through:

• Fake installers, often posing as cracked or repackaged versions of legitimate apps (e.g., productivity tools, utilities)
• Phishing pages encouraging users to disable Gatekeeper and manually run an unsigned .pkg or .app
• Bundled in torrent downloads or warez sites targeting users seeking free software

Payload Execution:
Once launched, MacStealer:

• Collects Keychain data, if access is granted
• Steals saved credentials, autofill data, and cookies from browsers like Chrome, Brave, and Firefox
• Searches for cryptocurrency wallet extensions or local wallet files
• Extracts system information, including macOS version, hardware ID, and user account data
• Sends all stolen data to a C2 server via HTTP POST or encrypted channels

---

2. History and Notable Campaigns

Origin and Discovery:
MacStealer was first reported in March 2023 by researchers at Uptycs, who found it being advertised on dark web forums as a paid stealer tool for macOS attackers. It was among the first post-M1 malware families to explicitly support both Intel and ARM-based Macs.

Notable Campaigns:

• Early campaigns targeted users seeking cracked versions of CleanMyMac, Adobe tools, or VPN clients
• Variants have been seen abusing Google Drive and Telegram bots for C2 communication
• Initial builds were relatively simple, but later versions added anti-analysis features and better C2 infrastructure

---

3. Targets and Impact

Targeted Victims and Sectors:

• Everyday macOS users, especially those sideloading software
• Cryptocurrency holders storing wallet keys or using browser-based extensions
• Creative professionals and small businesses relying on Macs for productivity
• Victims tricked by phishing emails or cracked app downloads

Consequences:

• Theft of account credentials, autofill data, and cookies, leading to account hijacking
• Loss of cryptocurrency wallet keys and digital assets
• Exposure of Keychain-stored passwords and sensitive data
• Risk of identity theft, financial fraud, and credential reuse attacks

---

4. Technical Details

Payload Capabilities:

• Extracts:
  • Keychain items (when permissions allow)
  • Chrome, Firefox, and Brave credentials and cookies
  • Cryptocurrency wallet data
  • System metadata
• Communicates with remote C2 infrastructure for exfiltration
• Packaged as .pkg or .app bundles, depending on campaign

Evasion Techniques:

• Unsigned and unpacked, allowing for easy customization by attackers
• Prompts users to manually override Gatekeeper, bypassing macOS security prompts
• Small size and simple execution flow help evade static analysis
• Some variants use obfuscated filenames or compress payloads to hide intent

---

5. Preventing MacStealer Infections

Best Practices:

• Never disable Gatekeeper or run unsigned apps from unknown sources
• Only download apps from the Mac App Store or official vendor websites
• Use unique, strong passwords with 2FA whenever possible
• Avoid cracked or pirated software — it’s a common malware delivery vehicle
• Monitor for new login items or unexpected system prompts

Recommended Security Tools:

• macOS-compatible antivirus (e.g., Malwarebytes for Mac, Intego, Bitdefender)
• Little Snitch or LuLu to detect and block suspicious outbound connections
• BlockBlock, KnockKnock, or Objective-See tools for persistence and launch agent monitoring
• iCloud Keychain auditing to regularly review stored credentials

---

6. Detecting and Removing MacStealer

Indicators of Compromise (IoCs):

• Unknown or unsigned apps running from Downloads or temporary folders
• Sudden prompts requesting Keychain access or root permissions
• Unusual outbound connections to command-and-control domains or Telegram APIs
• Presence of rogue .pkg or .app bundles not tied to legitimate developers

Removal Steps:

1. Delete any unrecognized apps or installer files from the system
2. Use malware scanners to detect and quarantine malicious processes
3. Check login items, LaunchAgents, and LaunchDaemons for persistence
4. Reset browser credentials and Keychain passwords
5. Change all accounts accessed on the compromised system

Professional Help:
Users concerned about wallet theft, credential exposure, or system integrity should consult a macOS forensic specialist or use digital security services with expertise in stealer malware.

---

7. Response to a MacStealer Infection

Immediate Steps:

• Disconnect the system from the internet
• Change all credentials from a clean device
• Remove the malware and any supporting files
• Audit browser extensions, Keychain contents, and login items
• Contact financial institutions or crypto platforms if credentials were compromised

---

8. Legal and Ethical Implications

Legal Considerations:
MacStealer facilitates the theft of sensitive personal data, triggering privacy and breach disclosure laws in many jurisdictions. Distributing or using this malware can lead to criminal prosecution under cybercrime statutes.

Ethical Considerations:
Stealer malware like MacStealer is designed solely for theft — there is no ethical justification for its creation or use. It contributes to rising rates of fraud, account compromise, and personal data exploitation.

---

9. Resources and References

• Uptycs Threat Report: MacStealer Malware
• Objective-See: macOS security toolkits
• Apple Security: A threat analysis of sideloading (PDF)
• MITRE ATT&CK for macOS:
  • T1555.001 (Credential Dumping: Keychain)
  • T1041 (Exfiltration Over C2 Channel)
  • T1083 (File and Directory Discovery)

---

10. FAQs about MacStealer

Q: What is MacStealer malware?
A macOS stealer that targets Keychain data, browser credentials, and crypto wallets.

Q: How does it spread?
Through fake app installers, pirated software, and phishing campaigns targeting Mac users.

Q: Can it bypass Gatekeeper?
Not automatically — it relies on users disabling protections and running unsigned apps.

Q: What data does it steal?
Passwords, cookies, autofill data, crypto wallet info, and system metadata.

---

11. Conclusion

MacStealer is part of a new wave of malware proving that macOS is no longer immune to info-stealing threats. It exploits user behavior—especially sideloading and poor permission hygiene—to steal valuable data with minimal user awareness. As macOS threats grow more capable, basic cybersecurity practices and awareness are now essential for Apple users, not optional.

 

 

« Back to the Virus Information Library

« Back to the Security Center