MacOS Malware ‘Cthulu Stealer’ Is Draining Crypto Wallets—Here’s How to Spot It

In a concerning development for macOS users and cryptocurrency holders, security researchers have identified a new malware-as-a-service (MaaS) named “Cthulhu Stealer.”

According to a recent Cado Security report, this malware specifically targets macOS systems, challenging the long-held belief that Apple’s operating system is immune to such threats.

While macOS has maintained a reputation for security, recent years have seen an uptick in malware targeting Apple’s platform. Notable examples include Silver Sparrow, KeRanger, and Atomic Stealer. Cthulhu Stealer is the latest addition to this growing list, indicating a shift in the cybersecurity landscape for macOS users.

Cthulhu Stealer is distributed as an Apple disk image (DMG) file, disguising itself as legitimate software such as CleanMyMac, Grand Theft Auto IV, or Adobe GenP, according to the Cado report. The malware, written in GoLang, is designed for both x86_64 and ARM architectures. This follows recent reports of another crypto-stealing malware targeting Call of Duty players.

Upon execution, the malware uses osascript to prompt users for their system password and MetaMask credentials. It then creates a directory in ‘/Users/Shared/NW’ to store stolen information. The malware’s primary function is to extract credentials and cryptocurrency wallets from various sources, including browser cookies, game accounts, and multiple cryptocurrency wallets.

Cthulhu Stealer shares similarities with Atomic Stealer, another macOS-targeted malware identified in 2023. Both are written in Go and focus on stealing crypto wallets, browser credentials, and keychain data. The resemblance in functionality suggests that Cthulhu Stealer may be a modified version of Atomic Stealer.

The malware is operated by a group known as “Cthulhu Team,” who use Telegram for communication. They offer the stealer for rent at $500 per month as part of a malware-as-a-service model, with affiliates responsible for deployment and receiving a percentage of the earnings.

Malware-as-a-service is a business model in the cybercrime world where malicious software and related services are sold or rented to customers, typically other criminals. This allows individuals or groups without advanced technical skills to conduct cyberattacks using pre-made malware tools and infrastructure. MaaS providers often offer customer support, updates, and customization options, similar to legitimate software services.

However, recent developments suggest trouble within the operation.

Affiliates have lodged complaints against the main developer, known as “Cthulhu” or “Balaclavv,” accusing them of withholding payments, according to Cado’s report. The researchers noted that this has led to the developer being banned from at least one malware marketplace.

Edited by Stacy Elliott.