Apple Mac users are facing a new cybersecurity threat with the emergence of “Cthulhu Stealer,” a malware strain that specifically targets cryptocurrency wallets on macOS systems. This malware, which has gained attention for its ability to steal sensitive information, poses a significant risk to users who rely on popular crypto wallets like MetaMask, Coinbase, and Binance.
The Rising Threat of macOS Malware
Cybersecurity firm Cado Security highlighted the growing misconception that macOS systems are impervious to malware. Despite its reputation for security, macOS has seen a steady increase in malware incidents over recent years. The introduction of Cthulhu Stealer serves as another reminder that Apple’s operating system is not immune to these threats.
The malware spreads by disguising itself as an Apple disk image (DMG) file, posing as legitimate software such as CleanMyMac or Adobe GenP. Once the user opens the file, the malware leverages macOS’s command-line tools to run AppleScript and JavaScript, prompting the user to enter their system password. Following this, it requests access to the MetaMask wallet password, as well as targeting other well-known crypto wallets like those from Coinbase, Wasabi, Electrum, Atomic, Binance, and Blockchain Wallet.
How Cthulhu Stealer Operates
After gaining access, Cthulhu Stealer collects and stores the stolen data in text files. It then fingerprints the victim’s system, gathering additional information such as the IP address and the version of the operating system. According to Tara Gould, a researcher at Cado Security, the primary function of Cthulhu Stealer is to steal credentials and cryptocurrency wallets, including those linked to game accounts.
Cthulhu Stealer bears a strong resemblance to another piece of malware known as Atomic Stealer, which was first identified in 2023 as a threat to Apple computers. Gould suggests that the developers behind Cthulhu Stealer likely modified the code from Atomic Stealer to create this new variant.
The malware was reportedly being rented out to affiliates for $500 per month via the Telegram messaging platform, with profits shared between the main developer and those deploying the malware. However, recent disputes over payments have led to accusations of an exit scam by affiliates, indicating that the original scammers may no longer be active.
Also Read: Compound Faces Governance Attack Allegations Over $24M Proposal
Apple’s Response to Growing macOS Threats
Apple has acknowledged the increasing threat of malware targeting its macOS operating systems. On August 6, the company announced an update to its next-generation macOS version aimed at enhancing security by making it more difficult for users to bypass Gatekeeper protections. These protections are designed to ensure that only trusted applications can run on the system.
This follows a previous incident in May, where researchers exploited a vulnerability to gain access to macOS camera systems. Telegram, which was implicated in the exploit, downplayed its severity, attributing the issue more to Apple’s permission security than to its own platform.
