MacStealer: Unveiling a Newly Identified MacOS-based Stealer Malware

Blog Author
Shilpesh Trivedi

Research by Shilpesh Trivedi and Pratik Jeware


Uptycs has already identified three Windows-based malware families that use Telegram this year, including Titan Stealer, Parallax RAT, and HookSpoofer. Attackers are increasingly turning to it, particularly for stealer command and control (C2).


And now the Uptycs threat research team has discovered a macOS stealer that also controls its operations over Telegram. We’ve dubbed it MacStealer.


The threat actor who is distributing this stealer was discovered by the Uptycs threat intelligence team during our dark web hunting. The stealer can extract documents, cookies from a victim's browser, and login information. It affects Catalina and subsequent macOS versions riding on Intel M1 and M2 CPUs.

MacStealer is a new Command and Control (C2) malware, a macOS stealer, that also controls its operations over Telegram, found by Uptycs Threat Research.

Figure 1: Threat actor advertisement on the dark web


MacStealer Features

The stealer exhibits the following capabilities:

  • Collect the passwords, cookies, and credit card data from Firefox, Google Chrome, and Brave browsers
  • Extract files (".txt", ".doc", ".docx", ".pdf", ".xls", ".xlsx", ".ppt", ".pptx", ".jpg", ".png", ".csv", ".bmp", ".mp3", ".zip", ".rar", ".py", ".db")
  • Extract KeyChain database (base64 encoded)

MacStealer: New Command and Control (C2) Malware: Threat actor selling MacStealer for $100/build

Figure 2: Threat actor selling MacStealer for $100/build

Malware Operation

Figure 3 shows the the stealer's operational behavior.

MacStealer: New Command and Control (C2) Malware: MacStealer malware operation

Figure 3: Malware operation [click to enlarge]


Technical Analysis

Shown in figure 4, the Mach-O file is not digitally signed.

Figure 12-1

Figure 4: Unsigned Mach-O file


The Mach-O file is compiled from Python code (figures 5 and 6).

MacStealer: New Command and Control (C2) Malware: Python library dependencies

Figure 5: Python library dependencies


MacStealer: New Command and Control (C2) Malware: Python API imports

Figure 6: Python API imports


The bad actor uses a .DMG file to spread the malware. After a user executes the file, it opens a fake password prompt to gather passwords using the following command line.

osascript -e display dialog "MacOS wants to access the System Preferences," with title "System Preferences" with icon caution default answer "" with hidden answer

MacStealer: New Command and Control (C2) Malware: Fake password prompt

Figure 7: Fake password prompt


Once the user enters their login credentials, the stealer gathers data as described in the MacStealer's features section. It stores it in the following system directory.


“/var/folders/{name}/{randomname}/T/{randomname}/files/{different folders}"


The stealer then ZIPs up the data and sends it to C2 via a POST request using a Python User-Agent request (figures 8 and 9). It deletes the data and ZIP file from the victim’s system during a subsequent mop-up operation.

MacStealer: New Command and Control (C2) Malware: Stealer collecting data

Figure 8: Stealer collecting data [click to enlarge]


MacStealer: New Command and Control (C2) Malware: Sending a POST request

Figure 9: Sending a POST request


MacStealer: New Command and Control (C2) Malware: Sending archive file

Figure 10: Sending archive file


Simultaneously, the stealer transmits selected information to the listed Telegram channels.

  • Telegram channel:

MacStealer: New Command and Control (C2) Malware: Sending basic information to the Telegram public channel

Figure 11: Sending basic information to the Telegram public channel


Once it has sent the compiled ZIP file to the C2, the latter shares the file with a threat actor's personal Telegram bot (figure 12).

  • Telegram bot:

MacStealer: New Command and Control (C2) Malware: Sending ZIP file to private Telegram bot

Figure 12: Sending ZIP file to private Telegram bot


Figure 13 shows the exfiltrated files.

MacStealer: New Command and Control (C2) Malware: Exfiltrated ZIP file content

Figure 13: Exfiltrated ZIP file content


Uptycs EDR Detection

Uptycs EDR—armed with YARA process scanning, advanced detections, and the ability to correlate process file, process, and socket events—successfully detects the many tactics, techniques, and procedures (TTPs) carried out by the stealer.


Additionally, Uptycs EDR contextual detection provides additional details about the detected malware. You can navigate to the toolkit data section of the detection alert, then click a name to learn about its behavior (figure 14).

Uptycs event detection for MacStealer

Figure 14: Uptycs event detection for MacStealer











C2 domain




Telegram 1


Telegram 2



By looking at the VirusTotal graph, the Uptycs research team concluded that more MacStealer samples have been spreading recently. Each file communicates using the same domain (mac[.]cracked23[.]site).

VirusTotal graph for MacOS Stealer

Figure 15: VirusTotal graph for macOS stealer

Related Hashes

SHA256 Hash



















As per the malware distributor’s dark web forum post, they’ll be adding these feature updates to the stealer (figure 16).

Planned feature updates for MacStealer

Figure 16: Planned feature updates for MacStealer


The Uptycs threat research team ran a detailed investigation to better understand the functions and objectives of the actor modules. We found the distributor has a mass production order for MacStealer from other threat actors, thus the malware is likely to be spread more widely.



This article's summary covers the actions of this new stealer—including the utilities used in its attack kill chain. Notably, these malware programs affect a victim's computer running the latest version of macOS. A miscreant uses Telegram as a command and control platform to exfiltrate victims' sensitive data.


Uptycs recommends the following measures and actions:

  • Keep your Mac systems up-to-date with the latest updates and patches
  • Only permit the installation of files from trusted sources that allow ‘App Store’ or ‘App store and identified developers.’