Apple Mac users are being alerted to a new malware threat called “Cthulhu Stealer” that steals personal information and targets cryptocurrency wallets.
“For years, there has been a general belief in the Zeitgeist that macOS systems are immune to malware,” said cybersecurity firm Cado Security on Aug. 22.
“While MacOS has a reputation for being secure, macOS malware has been trending up in recent years.”
The “Cthulhu Stealer” malware appears as a seemingly legitimate Apple disk image (DMG) for software like CleanMyMac or Adobe GenP.
When opened, the malware prompts users via AppleScript or JavaScript for their password. After gaining access, it requests credentials for crypto wallets, including MetaMask, Coinbase, Wasabi, Electrum, Atomic, Binance, and Blockchain Wallet. The malware then stores the stolen information in text files and collects additional system data like IP addresses and OS versions.
According to Cado researcher Tara Gould, the malware is mainly designed to steal credentials and crypto wallets, with similarities to the “Atomic Stealer” malware that also targets macOS.This indicates that the developer of Cthulhu Stealer “probably took Atomic Stealer and modified the code,” added Gould.
The malware was being rented out via Telegram for $500 a month, with affiliates sharing profits. However, recent disputes between scammers and affiliates have led to accusations of an exit scam.
On August 23, another Mac-targeting malware called AMOS developed to clone Ledger Live software.
Apple has acknowledged the rising threat and recently announced tighter security measures in the upcoming macOS version, particularly strengthening protections against unverified applications.
