MacStealer is a stealer targeting macOS, first discovered in 2023. MacStealer is a macOS information stealer distributed through Telegram that targets passwords, cryptocurrency wallets, and browser data. It uses a fake password prompt built with osascript to harvest the user's macOS password. The stealer bundles stolen data into a ZIP archive and sends it to Telegram channels controlled by the attacker. CoreLock detects this threat using CoreLock detects MacStealer through behavioral monitoring of osascript password prompt abuse, YARA rules matching its ZIP staging and Telegram exfiltration patterns, code signing verification flagging unsigned or ad-hoc binaries, and network monitoring detecting data upload to Telegram bot APIs.
Also known as: MacStealer, OSX.MacStealer
MacStealer is a macOS information stealer distributed through Telegram that targets passwords, cryptocurrency wallets, and browser data. It uses a fake password prompt built with osascript to harvest the user's macOS password. The stealer bundles stolen data into a ZIP archive and sends it to Telegram channels controlled by the attacker.
Telegram channels distributing the malware directly to buyers and victims
Fake application DMG files shared through social engineering
Phishing messages with malicious attachments on messaging platforms
Cracked software and keygens on file-sharing forums
Unexpected osascript password dialog after opening a downloaded application
New ZIP files being created in temporary directories
Outbound network connections to Telegram API endpoints
Browser saved passwords or autofill data missing or changed
Cut network access immediately to prevent the stealer from sending your data to Telegram channels.
Open Activity Monitor and look for osascript or unfamiliar processes. Force-quit anything suspicious, especially processes making network connections.
Delete the application that triggered the fake password prompt. Check /Applications, ~/Downloads, and ~/Library/Application Support for related files.
If you entered your password in the fake dialog, change your macOS password immediately. Reset all browser-saved passwords and cryptocurrency wallet credentials.
Run a CoreLock scan to detect remaining MacStealer artifacts, verify no persistence mechanisms were installed, and check for additional data that may have been staged for exfiltration.
Never enter your system password in dialogs triggered by recently downloaded applications
Avoid downloading applications distributed through Telegram channels
Verify code signatures before running any DMG or application
Use CoreLock's real-time monitoring to detect osascript-based credential harvesting attempts
Real-time Detection
CoreLock detects MacStealer through behavioral monitoring of osascript password prompt abuse, YARA rules matching its ZIP staging and Telegram exfiltration patterns, code signing verification flagging unsigned or ad-hoc binaries, and network monitoring detecting data upload to Telegram bot APIs.
Stealer — Atomic Stealer (AMOS) is a sophisticated macOS information stealer sold as malwa...
Stealer — Realst is a macOS information stealer written in Rust that targets cryptocurrenc...
Stealer — Banshee Stealer is a macOS information stealer that emerged in mid-2024, initial...
MacStealer is a macOS information stealer sold on Telegram that uses a fake system password dialog to harvest credentials. It steals browser passwords, Keychain data, and cryptocurrency wallet files, packaging everything into a ZIP sent to the attacker via Telegram.
MacStealer uses macOS's built-in osascript command to display a fake system password dialog that looks identical to a legitimate macOS prompt. If you enter your password, the malware captures it and gains access to your Keychain and other protected data.
Real macOS password prompts come from System Settings or specific system processes. If a password prompt appears immediately after opening a new application, especially one downloaded outside the App Store, it is likely fake. CoreLock can detect and block these fake prompts in real time.
Download CoreLock to detect and remove MacStealer and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows