A newly discovered malware serves as a reminder to Apple users that they’re not immune to cyber threats.
Cybersecurity firm Cado Security reported that it has identified a malware-as-a-service (MaaS) targeting macOS users called “Cthulhu Stealer.” According to the report, this malware has been used to steal credentials and crypto wallets from various sources, including game accounts.
The stealer is said to have compromised data from popular bitcoin (BTC) and crypto wallets such as Coinbase, Wasabi, MetaMask, Binance, Electrum, Blockchain, and others. However, no details regarding the potential losses of the victims have been provided.
Cado Security explains that Cthulhu Stealer is distributed as an Apple Disk Image (DMG) file, which masquerades as legitimate software such as CleanMyMac, Grand Theft Auto, and Adobe GenP.
Once the DMG is mounted and the software is opened, a macOS command-line tool for running AppleScript and JavaScript prompts the user for their password. After the password is entered, a second prompt asks the user to input their wallet password.
Researchers at Cado emphasized that Cthulhu Stealer closely resembles Atomic Stealer, suggesting that the developers of Cthulhu may have simply modified Atomic's code. Atomic Stealer, first identified in 2023, is known to steal crypto wallets, browser credentials, and keychains. According to Cado, Atomic Stealer is sold on Telegram to affiliates for $1,000 per month.
In contrast, Cthulhu Stealer appears to be rented out for $500 per month, with the main developer distributing a percentage of the earnings to affiliates based on their deployment.
Cthulhu Stealer was reportedly sold on "two well-known malware marketplaces" and through Telegram. Cado found that a user on these marketplaces, also known as Cthulhu and operating under the alias "Balaclavv," began advertising the malware in late 2023 and was still active in early 2024.
However, it appears that the criminals using the malware may have been scammed by the promoter.
"Users complained that Cthulhu had stolen money owed to them and accused him of being a scammer or participating in an exit scam. As a result, he received a permanent ban from the marketplace," Cado said.
According to the researchers, the developers and affiliates of Cthulhu Stealer operated as the "Cthulhu Team" on Telegram, but they now appear to be inactive.
Your email address will not be published. Required fields are markedmarked