Realst is a stealer targeting macOS, first discovered in 2023. Realst is a macOS information stealer written in Rust that targets cryptocurrency users through fake blockchain games. It steals browser data, Keychain passwords, and cryptocurrency wallet information. Some variants were even compiled for macOS Sonoma before its official release, showing the developers' sophistication. CoreLock detects this threat using CoreLock detects Realst through YARA rules targeting its Rust-compiled binary patterns, behavioral monitoring of AppleScript password harvesting dialogs, code signing verification flagging unsigned game installers, and network analysis identifying C2 communication patterns.
Also known as: Realst Stealer, Realst Infostealer
Realst is a macOS information stealer written in Rust that targets cryptocurrency users through fake blockchain games. It steals browser data, Keychain passwords, and cryptocurrency wallet information. Some variants were even compiled for macOS Sonoma before its official release, showing the developers' sophistication.
Fake blockchain and play-to-earn game websites promoted on social media
Direct messages on Twitter/X and Discord from fake gaming communities
Malicious PKG and DMG installers disguised as game clients
AppleScript-based dialogs harvesting passwords during installation
Recently installed a blockchain game from a link shared on social media
AppleScript dialogs asking for your system password during game setup
Browser saved passwords or crypto wallet balances unexpectedly changed
Suspicious Rust-compiled binaries in your Applications or Downloads folder
Immediately cut your network connection to stop any ongoing data exfiltration to the attacker's servers.
Remove the blockchain game app from /Applications, ~/Downloads, and check ~/Library/Application Support for related folders. Empty the Trash afterward.
Check ~/Library/LaunchAgents for suspicious plist files created around the same time as the game installation. Remove any you do not recognize.
Change all passwords stored in your browser and Keychain. Move cryptocurrency to new wallets generated on a clean device. Revoke active sessions on exchanges.
Run a full CoreLock scan to detect any residual components, secondary payloads, or persistence artifacts left behind by the stealer.
Never download games or apps promoted via unsolicited DMs on social media
Verify game developers through official channels before installing anything
Use hardware wallets for significant cryptocurrency holdings
Enable CoreLock real-time monitoring to flag suspicious Rust binaries and AppleScript execution
Real-time Detection
CoreLock detects Realst through YARA rules targeting its Rust-compiled binary patterns, behavioral monitoring of AppleScript password harvesting dialogs, code signing verification flagging unsigned game installers, and network analysis identifying C2 communication patterns.
Stealer — Atomic Stealer (AMOS) is a sophisticated macOS information stealer sold as malwa...
Stealer — MacStealer is a macOS information stealer distributed through Telegram that targ...
Stealer — Banshee Stealer is a macOS information stealer that emerged in mid-2024, initial...
Realst is a macOS stealer written in Rust that spreads through fake blockchain games. It steals browser passwords, Keychain data, and cryptocurrency wallet files. Discovered in 2023, it targets crypto enthusiasts through social engineering on platforms like Twitter and Discord.
Realst spreads through fake play-to-earn blockchain game websites. Attackers reach out via Twitter/X DMs, Discord, or Telegram, inviting victims to try their 'new game.' The game installer is a malicious PKG or DMG that installs the stealer.
Yes. Realst specifically targets cryptocurrency wallets including MetaMask, Phantom, and other browser extensions. It extracts wallet data, seed phrases stored in browsers, and Keychain entries related to exchanges. Use hardware wallets to protect significant holdings.
Download CoreLock to detect and remove Realst and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows