Cthulhu Stealer is a stealer targeting macOS, first discovered in 2024. Cthulhu Stealer is a macOS information stealer sold as malware-as-a-service for $500/month — significantly cheaper than competitors like Atomic Stealer, making it accessible to a wider range of attackers. It disguises itself as legitimate software including CleanMyMac, Grand Theft Auto IV, and Adobe GenP. Despite being relatively unsophisticated compared to other macOS stealers, its low price and ease of use have led to widespread distribution. CoreLock detects this threat using CoreLock detects Cthulhu Stealer through behavioral analysis of fake system dialog password harvesting, monitoring for rapid sequential access to browser credential stores and Keychain, flagging outbound data transfers matching stealer exfiltration patterns, and code signing analysis identifying mismatched or absent developer certificates on applications claiming to be legitimate software.
Also known as: Cthulhu, CthulhuSteal
Cthulhu Stealer is a macOS information stealer sold as malware-as-a-service for $500/month — significantly cheaper than competitors like Atomic Stealer, making it accessible to a wider range of attackers. It disguises itself as legitimate software including CleanMyMac, Grand Theft Auto IV, and Adobe GenP. Despite being relatively unsophisticated compared to other macOS stealers, its low price and ease of use have led to widespread distribution.
Trojanized versions of popular applications distributed through unofficial download sites
Fake software cracks and keygens for expensive applications like Adobe products
Phishing websites mimicking legitimate software download pages
Torrent sites and file-sharing platforms distributing infected DMG files
Social media posts and forum threads linking to 'free' versions of paid software
System password prompt appearing immediately after opening a newly downloaded application
A second prompt specifically asking for your MetaMask or cryptocurrency wallet password
Applications that don't function as expected after providing your password
Unknown processes making network connections shortly after installing cracked software
Cryptocurrency balances decreasing without authorized transactions
Disable Wi-Fi and Ethernet to prevent further data exfiltration. Cthulhu Stealer sends harvested credentials to its C2 server quickly after collection.
Remove the fake application from wherever it was installed. Check /Applications, ~/Downloads, and ~/Desktop. Also check ~/Library/Application Support/ for associated folders.
Check ~/Library/LaunchAgents/ and /Library/LaunchAgents/ for any new plist files. While Cthulhu Stealer primarily operates as a grab-and-go stealer, some variants install minimal persistence.
From a clean device, change all passwords starting with email, banking, and cryptocurrency exchanges. Cthulhu Stealer specifically targets Keychain data and browser-stored credentials.
If you entered a MetaMask or wallet password, assume the wallet is compromised. Transfer all assets to new wallets on an uninfected device immediately. Revoke all token approvals.
Run a full CoreLock scan to ensure all components are removed and no residual processes or network connections from the stealer remain active.
Never download cracked or pirated software — it is the primary distribution method for macOS stealers
Only install applications from the Mac App Store or official developer websites
Be suspicious of any app that asks for your system password immediately after opening
Any app that asks for your MetaMask or crypto wallet password is malware — legitimate apps never do this
Use CoreLock to detect stealer behavior including unauthorized credential access and suspicious network exfiltration
Real-time Detection
CoreLock detects Cthulhu Stealer through behavioral analysis of fake system dialog password harvesting, monitoring for rapid sequential access to browser credential stores and Keychain, flagging outbound data transfers matching stealer exfiltration patterns, and code signing analysis identifying mismatched or absent developer certificates on applications claiming to be legitimate software.
Stealer — Atomic Stealer (AMOS) is a sophisticated macOS information stealer sold as malwa...
Stealer — Banshee Stealer is a macOS information stealer that emerged in mid-2024, initial...
Stealer — Realst is a macOS information stealer written in Rust that targets cryptocurrenc...
Cthulhu Stealer is a macOS information stealer sold as malware-as-a-service for around $500/month. It disguises itself as legitimate applications — commonly CleanMyMac, Grand Theft Auto IV, or Adobe tools — and uses fake password prompts to harvest your system credentials and cryptocurrency wallet passwords. It then steals browser data, Keychain entries, and wallet information.
Its low price ($500/month vs $1,000-3,000 for competitors) makes it accessible to a much wider range of attackers, including those with minimal technical skill. The MaaS model means the operator handles infrastructure while buyers just distribute the malware. More operators means more distribution channels, more victims, and more variants in the wild.
It uses AppleScript to generate a fake macOS system dialog that looks identical to a legitimate password prompt. Users think macOS is asking for their password to install or run the application, but the password is actually being captured and sent to the attackers. Some variants show a second prompt specifically asking for MetaMask wallet passwords.
Yes. The majority of Cthulhu Stealer infections come from downloading cracked software, keygens, or 'free' versions of paid applications from unofficial sources. The simplest defense is to never download pirated software. If you can't afford an application, look for legitimate free alternatives rather than risking a stealer infection.
Download CoreLock to detect and remove Cthulhu Stealer and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows