Apple Mac users are being warned about a new strain of malware called “Cthulhu Stealer,” which can steal their personal information and target crypto wallets. 

“For years, there has been a general belief in the Zeitgeist that macOS systems are immune to malware,” said cybersecurity firm Cado Security on Aug. 22. 

“While MacOS has a reputation for being secure, macOS malware has been trending up in recent years.”

“Cthulhu Stealer” appears as an Apple disk image (DMG) and disguises itself as legitimate software like CleanMyMac and Adobe GenP.

When users open the file, the macOS command-line tool for running AppleScript and JavaScript is used to prompt them for their password. 

Once this is entered, a second prompt will appear for the password to the popular Ethereum wallet, MetaMask. It also targets other popular crypto wallets , including those from Coinbase, Wasabi, Electrum, Atomic , Binance, and Blockchain Wallet.

The malware stores the stolen data in text files before fingerprinting the victim’s system to gather data such as IP address and operating system version. 

Mac users warned over malware ‘Cthulhu’ that steals crypto wallets image 0

Cthulhu Stealer ‘checking’ for installed crypto wallets. Source: Cado Security

“The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts,” explained Cado researcher Tara Gould.

Cthulhu Stealer is very similar to Atomic Stealer, malware that was identified in 2023 targeting Apple computers. This indicates that the developer of Cthulhu Stealer “probably took Atomic Stealer and modified the code,” added Gould.

The malware was being rented out to affiliates for $500 per month using the Telegram messaging platform, with the main developer sharing profits from successful deployments.

However, the scammers behind the malware are said to be no longer active, following disputes over payments that have led to accusations of an exit scam by affiliates.

On Aug. 23, Cointelegraph reported that the AMOS malware, which also targets Mac users, can now clone Ledger Live software. 

Related: Mac users beware: AMOS malware clones wallet apps and comes for your crypto

Apple has recently acknowledged the increasing threat of malware targeting its operating systems. On Aug. 6, the tech giant announced an update to its next-generation macOS version that makes it a little more difficult for users to override Gatekeeper protections that ensure only trusted applications are allowed to run on the system. 

In May, Telegram played down the severity of an exploit that allowed researchers to gain access to macOS camera systems, stating that it had more to do with Apple’s permission security than the messaging platform. 

Magazine: Jack Dorsey’s ‘marketplace of algorithms’ could fix social media… so why hasn’t it?