MacStealer: a new threat to macOS users that can steal passwords from iCloud Keychain

Mac users should pay attention to a new threat that is targeting their devices. Security researchers have discovered a new malware named MacStealer, and it can steal passwords and other sensitive data from the iCloud Keychain and web browsers.

Read: An open-source bug caused a payment data leak on ChatGPT

What is MacStealer?

MacStealer is a new info-stealing malware sold as a malware-as-a-service (MaaS) on dark web hacking forums. The malware developer claims it can run on macOS Catalina (10.15) and up to the latest version of Apple’s OS, Ventura (13.2). It also targets Macs with M1 and M2 chips, which are supposed to have more security features than older models.

MacStealer is distributed as an unsigned DMG file that masquerades as something else, such as a weed-themed app. The victim is tricked into opening the file and entering their password in a fake prompt that appears to grant access to the System Settings app. However, the malware uses this password to access the Keychain database, which stores the user’s passwords, private keys, and certificates.

The malware then collects various types of data from the compromised system, such as:

– Account passwords, cookies, and credit card details from Firefox, Chrome, and Brave.


– Extract the Keychain database (login.keychain-db) in base64 encoded form

– Collect System information

– Collect Keychain password information

– Coinomi, Exodus, MetaMask, Phantom, Tron, Martian Wallet, Trust wallet, Keplr Wallet, and Binance cryptocurrency wallets

The stolen data is then stored in a ZIP file and sent to a remote command and control server via Telegram. The malware operator can also receive notifications and download the ZIP file from a pre-configured Telegram channel.

The developer of MacStealer claims that it is still in an early beta development phase and plans to add more features soon. For example, it wants to add support for Safari browser and Notes app data extraction. It also wants to add a builder and a panel for easier customization and management of the malware.

How to protect devices from MacStealer?

MacStealer is a serious threat that can compromise online security and privacy. It can steal passwords for any online accounts, credit card information for online shopping, cryptocurrency wallets for online transactions, and potentially sensitive files for blackmail or identity theft.

To protect any device from MacStealer and other similar malware threats, follow these best practices:

– Keep the Mac updated with the latest software patches and security updates from Apple

– Avoid downloading files from untrustworthy sources or opening attachments from unknown senders

– Use antivirus software that can detect and remove malware

– Enable Gatekeeper and Xprotect features on Mac that can prevent unsigned or malicious apps from running on the system

– Use a strong password for the Mac login and enable two-factor authentication for any iCloud account.

– Use a password manager that can securely store and generate strong passwords for online accounts.

– Use a VPN service that can encrypt online traffic and hide the IP address from hackers.

MacStealer is a new example of how hackers are targeting Mac users with sophisticated malware campaigns. Never assume that a Mac is immune to malware attacks, and take proactive steps to secure devices and data.

Keep in touch with our blog to read the latest news and innovations in the cybersecurity world. 


Facebook: Eagle Tech Corp

Instagram: @eagletech_corp

Twitter: @eagletechcorp

LinkedIn: Eagle Tech

YouTube: Eagle Tech Corp

Cyber security & IT Managed Services

Table of Contents

Share this Article
Related Articles