A new and highly sophisticated version of malware targeting macOS users has emerged. It can steal browser credentials, cryptocurrency wallets, and sensitive data while evading detection for months. Dubbed Banshee, this malware exploits advanced techniques to infiltrate systems and highlights the growing vulnerability of macOS devices in an era of rising cybercrime.
Once perceived as a fortress against cyberattacks, macOS’s growing global user base — now exceeding 100 million — has made it a lucrative target for cybercriminals. Despite built-in security measures like Gatekeeper, XProtect, and sandboxing, the rise of sophisticated threats like Banshee underscores the fallacy of relying on outdated security assumptions.
The latest version of the Banshee Stealer leverages advanced techniques to seal browser credentials, cryptocurrency wallets, and other sensitive information. This malware, undetected even by experienced IT professionals, uses clever anti-analysis mechanisms to evade detection, operating stealthily in the background.
The malware emerged in mid-2024, marketed as a ‘stealer-as-a-service’ on underground forums for $3,000. By late September, its developers had taken a bold step, incorporating an encryption algorithm from Apple’s XProtect antivirus system. This adaptation replaced plain text strings in the malware’s code, enabling it to bypass traditional antivirus detection methods of over two months.
As per researchers, threat actors distributed the malware via phishing websites and malicious GitHub repositories, disguising it as popular software tools like Chrome, Telegram, and TradingView. The November 2024 leak of Banshee’s source code on underground forums, however, marked a turning point.
While this exposure allowed antivirus engines to improve their detection capabilities, it also heightened fears of new, more dangerous variants being developed.
Once installed, Banshee demonstrates the level of sophistication now common in modern malware:
- Data theft: It targets browsers such as Chrome, Brave, and Edge, stealing credentials and cryptocurrency wallet information.
- Deceptive tricks: It employs realistic system prompts to trick users into divulging macOS passwords.
- Detection evasion: Anti-analysis techniques ensure the malware avoids debugging tools and antivirus engines.
- Data exfiltration: Stolen data is sent to command-and-control servers through encrypted channels.
Researchers observed that Banshee campaigns have been carefully orchestrated, with malicious GitHub repositories designed to appear legitimate through fake reviews and stars. These repositories often targeted macOS users with Banshee while delivering a different malware, Lumma Stealer, to Windows users.
The implications of Banshee’s success include data breaches, cryptocurrency risks, and operational disruptions. Furthermore, experts also observed that Banshee developers removed the Russian language check-in signalling that the malware is looking to expand its audience.
Although Banshee’s official operations ceased following the source code leak, researchers have observed ongoing campaigns distributing the malware. Whether carried out by previous customers or the malware’s original creators remains uncertain.
Experts have urged organisations and businesses to invest in advanced cybersecurity tools capable of detecting sophisticated threats and cultivate a culture of awareness and caution to recognise phishing attempts and suspicious downloads.
In the News: Sophisticated credit card skimmer malware targets WordPress websites