MacStealer: A New Info-Stealing Malware Targeting Mac Users

MacStealer: A New Info-Stealing Malware Targeting Mac Users
Threat actor advertisement on the dark web, image uptycs

Mac users have long enjoyed a reputation for being relatively safe from malware attacks. However, cybercriminals are increasingly targeting the macOS, and a new malware called MacStealer has been discovered, which steals sensitive data from Mac users. In this article, we will explore the features and capabilities of MacStealer and what Mac users can do to protect themselves.

What is MacStealer?

MacStealer is a new info-stealing malware that targets Mac users. It steals their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files. MacStealer is being distributed as a malware-as-a-service (MaaS), where the developer sells premade builds for $100, allowing purchasers to spread the malware in their campaigns.

Capabilities of MacStealer

MacStealer can steal the following data from compromised systems:

  • Account passwords, cookies, and credit card details from Firefox, Chrome, and Brave.
  • Extract the Keychain database (login.keychain-db) in base64 encoded form
  • Collect System information
  • Collect Keychain password information
  • Coinomi, Exodus, MetaMask, Phantom, Tron, Martian Wallet, Trust wallet, Keplr Wallet, and Binance cryptocurrency wallets

The Keychain database is a secure storage system in macOS that holds users' passwords, private keys, and certificates, encrypting it with their login password. The feature can then automatically enter login credentials on web pages and apps.

How Does MacStealer Work?

The threat actors distribute MacStealer as an unsigned DMG file that poses as something the victim is tricked into executing on their macOS. Upon doing so, a fake password prompt is served to the victim to run a command that allows the malware to collect passwords from the compromised machine.

MacStealer malware operation, image uptycs
MacStealer malware operation, image uptycs

The malware then collects all of the data mentioned earlier, stores them in a ZIP file, and sends the stolen data to remote command and control servers to be collected later by the threat actor. At the same time, MacStealer sends some basic information to a pre-configured Telegram channel, allowing the operator to be quickly notified when new data is stolen and download the ZIP file.

Protecting Yourself from MacStealer

While most MaaS operations target Windows users, macOS isn't immune to such threats, so its users should remain vigilant and avoid downloading files from untrustworthy websites. The following are some tips to protect yourself from MacStealer and other malware:

  1. Keep your macOS updated with the latest security patches.
  2. Use a reputable antivirus program and keep it updated.
  3. Be wary of downloading files from untrustworthy websites or unknown sources.
  4. Do not open email attachments from unknown sources.
  5. Enable the macOS firewall.
  6. Use strong and unique passwords for all accounts and enable two-factor authentication whenever possible.
  7. Regularly backup your important data to an external hard drive or cloud storage.


Mac users should not take their security for granted and should remain vigilant against new and evolving malware threats such as MacStealer. By following the tips outlined above, Mac users can protect themselves and their sensitive data from cybercriminals. It is also important to stay informed about the latest cybersecurity news and trends to stay ahead of the threat landscape.