Banshee Stealer is a stealer targeting macOS, first discovered in 2024. Banshee Stealer is a macOS information stealer that emerged in mid-2024, initially sold for $3,000/month. It steals from 9+ browsers, cryptocurrency wallets, and the macOS Keychain. A notable variant borrowed Apple's own XProtect string encryption algorithm to evade antivirus detection, demonstrating advanced evasion techniques. CoreLock detects this threat using CoreLock identifies Banshee Stealer through advanced YARA signatures targeting its XProtect-mimicking encryption, behavioral detection of unauthorized Keychain access patterns, code signing verification flagging ad-hoc signed binaries, and network monitoring detecting C2 exfiltration channels.
Also known as: Banshee, BansheeInfoStealer
Banshee Stealer is a macOS information stealer that emerged in mid-2024, initially sold for $3,000/month. It steals from 9+ browsers, cryptocurrency wallets, and the macOS Keychain. A notable variant borrowed Apple's own XProtect string encryption algorithm to evade antivirus detection, demonstrating advanced evasion techniques.
Fake GitHub repositories impersonating popular open-source projects
Phishing sites mimicking legitimate software download pages
Malvertising campaigns targeting cryptocurrency and developer communities
Social engineering via developer forums and Slack communities
Unexpected system password prompts after installing software from GitHub
Browser data or cryptocurrency wallet balances unexpectedly altered
Unfamiliar processes connecting to external servers in Activity Monitor
macOS Keychain access prompts you did not initiate
Immediately disconnect to prevent further data exfiltration. Banshee actively sends stolen data to its command-and-control infrastructure.
Check your recent downloads and installations. Remove any suspicious applications from /Applications and check ~/Library/Application Support for related folders.
Remove any LaunchAgent plist files created by the malware from ~/Library/LaunchAgents. Check for cron jobs with crontab -l and remove suspicious entries.
Change passwords for all accounts stored in your browsers and Keychain. Transfer cryptocurrency to new wallets created on a verified clean device.
Use CoreLock's deep scan to detect Banshee's XProtect-mimicking encryption patterns and any secondary payloads dropped during the infection.
Verify GitHub repository authenticity by checking stars, commit history, and contributor profiles
Never bypass Gatekeeper warnings for applications from unknown developers
Use unique passwords and a dedicated password manager instead of browser storage
Enable CoreLock's real-time monitoring to catch unsigned binaries and suspicious Keychain access
Real-time Detection
CoreLock identifies Banshee Stealer through advanced YARA signatures targeting its XProtect-mimicking encryption, behavioral detection of unauthorized Keychain access patterns, code signing verification flagging ad-hoc signed binaries, and network monitoring detecting C2 exfiltration channels.
Stealer — Atomic Stealer (AMOS) is a sophisticated macOS information stealer sold as malwa...
Stealer — Realst is a macOS information stealer written in Rust that targets cryptocurrenc...
Stealer — MacStealer is a macOS information stealer distributed through Telegram that targ...
Banshee Stealer borrowed Apple's own XProtect string encryption algorithm to evade detection. This means it uses the same obfuscation technique that Apple uses to protect its malware signatures, making it invisible to many antivirus tools that rely on string matching.
Banshee targets browser data from 9+ browsers (Chrome, Firefox, Brave, Edge, Opera, Vivaldi, and others), cryptocurrency wallets, macOS Keychain passwords, system information, and files matching specific extensions on the Desktop and Documents folders.
Banshee was initially offered as a malware-as-a-service at $3,000/month. After its source code leaked in late 2024, it became freely available, leading to a proliferation of modified variants that are harder to track and detect.
Download CoreLock to detect and remove Banshee Stealer and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows