MacStealer – newly-discovered malware steals passwords and exfiltrates data from infected Macs

MacStealer - newly-discovered malware steals passwords and exfiltrates data from infected Macs

I’m still encountering people who, even after all these years, believe that their Apple Mac computers are somehow magically invulnerable to ever being infected by malware.

This is despite the fact that malware has been infecting different incarnations of Apple computer for even longer than PCs, that macro malware often doesn’t care what operating system you’re using, that there are firms who had over 25 years’ worth of success developing anti-virus software for Macs, and that even Apple itself has been releasing updates to MacOS’s built-in anti-virus defences since 2009.

Yes, there’s a lot lot more malware for PCs than Macs, but that doesn’t mean that the problem doesn’t exist at all. And you may feel very smug not running any type of anti-virus on your Mac, but you’ll probably have the smile wiped off your face if you come a cropper.

Sign up to our free newsletter.
Security news, advice, and tips.

With that in mind, it’s worth sharing that boffins at Uptycs shared details of some newly-discovered macOS malware last month, that they have dubbed “MacStealer.”

According to Uptypcs, MacStealer is being distributed on dark web forums for as little as $100 as a tool for stealing the passwords, cookies, and credit card details from Google, Firefox, and Chrome browsers. In addition, the malware can steal Keychain data, and umpteen different types of data files (including documents, spreadsheets, presentations, images, databases, and archives) – sending exfiltrated data back to hackers via Telegram.

Despite MacStealer’s author claiming it is a “first beta version”, it is said to support Intel as well as M1 and M2 Macs, and works on macOS 10 (Catalina) to the latest macOS 13 (Ventura).

According to Uptycs, the malware is being spread in a fairly rudimentary way. Running a boobytrapped .DMG file can cause a fake System Preferences prompt to appear that asks for the user’s password.

Macstealer dmg

Once the hackers have your computer’s password, your problems are going to get a whole lot worse.

There’s no indication that MacStealer is in widespread use by cybercriminals, but regardless it makes sense to protect your computer – whatever operating system you choose to run.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “MacStealer – newly-discovered malware steals passwords and exfiltrates data from infected Macs”

  1. Bozer

    Hi Graham,
    I fear I may have accidentally downloaded phishing software: httpx://
    My Avast said "Threat secured – We've put sleeve in Quarantine because it was infected with malware: MacOS:Stealer-AB [Trj]." Then I checked the whois of the domain, and it says "Registered on 09th April 2024".
    I'm now worried that by initially opening the program, some malware has already been installed.
    After Avast informed me about the malware, I canceled the installation.
    Another window opened up, asking me to enter a password to grant access to system preferences.
    Of coz I did not touch it, but could also not close the window. Tried all sort of ways. Then did a restart and it was gone. Now, as I did not enter the password, is there a chance that I am still sort of in the clear?
    Some other ppl on forums proposed to install Malwarebytes Premium, but I believe Avast has already done what it would do, or?
    Thanks for your input – helps tremendously!

    1. Graham CluleyGraham Cluley · in reply to Bozer

      I'd recommend contacting Avast's support team, as they will be best place to help you determine whether you have a problem or whether their software made a mistake.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.