Infostealers Waltz Through macOS to Grab Crypto Wallets, Browser Creds

Ironically, Macs lower risk profile may make them more susceptible to any given threat than the average Windows or Linux system.

A new infostealer is trying to ride the coattails of one of the most prevalent malware tools on the planet, taking advantage of some inherent security shortcomings in macOS environments.
In a new blog post, Cado Security discusses
Cthulhu Stealer,
a new cybercrime tool making the rounds lately. Its designed to nab cryptocurrency wallet and gaming credentials, as well as browser data. It isnt particularly sophisticated, perhaps because it doesnt have to be.
Atomic Stealer
— Cthulhus progenitor — has proven as much. In the past couple of years, this basically average stealer has become one of the most prevalent malwares across the globe. Perhaps, experts suggest, that has to do with some of the ways in which the security community has looked past Macs in the past.
Cthulhu Stealer is an Apple disk image (DMG) written in Golang. It typically arrives in front of a victims eyeballs masked as a legitimate software program, like the CleanMyMac maintenance tool or the Grand Theft Auto video game.
When opened, the program asks for the victims system password and, illogically, their Metamask cryptocurrency wallet password.
It should look suspicious to users, but sometimes people download stuff and they might not be thinking, notes Tara Gould, threat researcher at Cado Security. With Cthulhus target demographic in particular, They could be younger, or maybe not as well-versed in computers. Theres a whole host of reasons why it may not potentially flag as suspicious.
Once planted, the program gathers system data, such as its IP address, OS version, and various hardware and software information. Then it goes after its real aim: crypto, game account, and browser credentials. Targeted apps include the Coinbase, Binance, and Atomic crypto wallets, Firefox cookies, and Battle.net and Minecraft user data.
Despite running for $500 per month on cybercrime forums, Cthulhu Stealer is essentially unsophisticated, without any standout stealth techniques, and largely indistinguishable from at least one other commercially available offering in the underground.
The most notable feature of Cthulhu Stealer is how closely it copies Atomic Stealer. Not only do they share many of the same functionalities and features, but Cthulhu Stealer even includes some of the same typos in Atomic Stealers code.
Atomic Stealer isnt so remarkable itself. Previously, Dark Reading noted its lack of a persistence mechanism, and characterized it as smash and grab by nature. Still, its no wonder that other malware authors might want to copy it, since its one of the most successful infostealers in the world today.
In a report last month, Red Canary ranked it as
the sixth most prevalent malware
in the wild today, tied with the popular SocGholish and Lumma, and the ubiquitous Cobalt Strike. Its sixth place finish is actually a step down from previous Red Canary reports, which have included Atomic Stealer in its top 10 lists for the entirety of 2024 thus far.
The fact that any macOS threat would make the top 10 is pretty staggering, notes Brian Donohue, principal information security specialist with Red Canary. I would venture to guess that any organization that has a meaningful footprint of macOS devices probably has Atomic Stealer lurking somewhere in their environment.
Threats to macOS are distinctly less common than to Windows and Linux, with Elastic
data from 2022 and 2023
suggesting that only around 6% of all malware can be found on these systems.
Windows is still targeted the most, because large corporations all tend to still be very Windows-heavy, but that is shifting. A lot of enterprises are starting to increase the amount of Macs they have, so it is definitely going to become more of an issue, Gould says.
Hackers arent all jumping on the bandwagon yet, but there is growing interest, perhaps because theres so little interest on the part of defenders.
In an email to Dark Reading, Jake King, head of threat and security intelligence at Elastic, indicated that threats to Macs have risen less than 1% over the past year, adding, While were not observing significant growth patterns that indicate enterprise-specific targeting of MacOS, it may be attributed to a lower volume of telemetry acquired from this OS. We have observed several novel approaches to exploiting vulnerabilities over the calendar year that indicate adversarial interest across a number of campaigns. In other words: the data may indicate a lack of interest in macOS from attackers, or from defenders.
If runaway successes like Atomic Stealer do inspire more hackers to move operating systems, defenders will be working from a disadvantageous position, thanks to years of disinterest from the security community.
As Donohue explains, A lot of enterprises adopt macOS systems for engineers and administrators, so a lot of the people who are using macOS machines are, by default, either highly privileged or dealing with sensitive information. And my suspicion is that there is less expertise in macOS threats across those organizations.
Theres also less tooling, Donohue adds. Take something like EDR, as an example. These started out as tools for protecting Windows systems and then were later co-opted into being tools for protecting macOS systems as well. And Windows machines have really robust application control policies, but there isnt really similar functionality in macOS Gatekeeper (which is roughly analogous to Windows Defender). Its pretty good at finding malicious binaries and creating YARA rules and signatures for them, but a lot of malware developers have been able to sidestep it.
Elastics King adds, Default operating system controls, while effective, are likely not evolving at a rate alongside adversarial behaviors. For this reason, King says, Ensuring sensible access permissions, sufficient hardening controls, and instrumentation that allows for organizations to observe or prevent threats on macOS systems remains important.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Infostealers Waltz Through macOS to Grab Crypto Wallets, Browser Creds