Since September, Check Point Research (CPR) has been tracking a new version of the Banshee macOS Stealer, a malware designed to steal browser credentials, cryptocurrency wallets, and other sensitive data. This latest version remained undetected for over two months due to its use of string encryption from Apple’s XProtect, which likely helped it evade antivirus detection. The malware was spread through phishing websites and fake GitHub repositories, often posing as popular software like Chrome and Telegram. A significant update in this version removed a Russian language check, broadening its range of potential targets. The emergence of Banshee Stealer underscores the increasing risks to macOS users and highlights the need for advanced cybersecurity measures and heightened vigilance.
As macOS continues to gain popularity, with over 100 million users globally, it’s becoming an increasingly attractive target for cyber criminals. Despite its reputation as a secure operating system, the rise of sophisticated threats like the Banshee MacOS Stealer highlights the importance of vigilance and proactive cyber security measures.
This is according to Check Point Research (CPR), which has been monitoring this emerging malware targeting macOS users.
Here’s what businesses and users need to know.
When Security Assumptions Fall Short
Many macOS users assume that the platform’s Unix-based architecture and historically lower market share make it a less attractive target for cyber criminals and therefore, immune to malware. While macOS does include robust security features like Gatekeeper, XProtect, and sandboxing, the rise of the Banshee stealer serves as a reminder that no operating system is immune to threats. This stealthy malware doesn’t just infiltrate; it operates undetected, blending seamlessly with normal system processes while stealing browser credentials, cryptocurrency wallets, user passwords, and sensitive file data. What makes Banshee truly alarming is its ability to evade detection. Even seasoned IT professionals struggle to identify its presence. Banshee stealer isn’t just another piece of malware—it’s a critical warning for users to reassess their security assumptions and take proactive measures to safeguard their data.
The Evolution of Banshee Stealer: A New Breed of Threat
The Banshee MacOS Stealer first came to public attention in mid-2024, advertised as a “stealer-as-a-service” on underground forums, such as XSS and Exploit, and Telegram. For $3,000, threat actors could purchase this malware to target macOS users. In late September, CPR identified a new, undetected version of Banshee featuring an interesting twist: its developers had “stolen” a string encryption algorithm from Apple’s own XProtect antivirus engine, which replaced the plain text strings used in the original version.
This move likely allowed Banshee to evade detection by antivirus engines for over two months. During this time, threat actors distributed the malware through phishing websites and malicious GitHub repositories, posing as popular software tools such as Chrome, Telegram, and TradingView. Banshee’s operations took a significant turn in November 2024 when its source code was leaked on XSS underground forums and was shut down to the public. This leak not only exposed its inner workings but also led to better detection by antivirus engines. While this leak led to better detection by antivirus engines, it also raised concerns about new variants being developed by other actors.
How Banshee Stealer Operates
Banshee Stealer’s functionality reveals the sophistication behind modern malware. Once installed, it:
-
Steals system data: Targets browsers like Chrome, Brave, Edge, and Vivaldi, along with browser extensions for cryptocurrency wallets. It also exploits a Two-Factor Authentication (2FA) extension to capture sensitive credentials. Additionally, it collects software and hardware details, external IP addresses, and macOS passwords.
Threat actors used GitHub repositories as a key distribution method for Banshee. These campaigns targeted macOS users with Banshee while simultaneously targeting Windows users with a different though already known malware called Lumma Stealer. Over three waves, malicious repositories were created to impersonate popular software and lure users into downloading the malware. These repositories often appeared legitimate, with stars and reviews to build trust before launching their malicious campaigns.
Why This Matters to Businesses
“Businesses must recognise the broader risks posed by modern malware, including costly data breaches that compromise sensitive information and damage reputations, targeted attacks on cryptocurrency wallets that threaten digital assets, and operational disruptions caused by stealthy malware that evades detection and inflicts long-term harm before being identified,” says Check Point Consultant Hendrik de Bruin.
Lessons from the Banshee Stealer
Banshee’s success underscores the evolving nature of cyber threats and the need for robust defenses. Since its source code was leaked in November 2024, Banshee Stealer-as-a-service operation has been officially shut down. However, CPR has identified multiple campaigns still distributing the malware through phishing websites. Whether these campaigns are being carried out by previous customers or the author’s private group remains unclear.
One notable update in the latest version of Banshee is the removal of its Russian language check. Previous malware versions terminated operations if they detected the Russian language, likely to avoid targeting specific regions. Removing this feature indicates an expansion in the malware’s potential targets.
“As cyber criminals continue to innovate, security solutions must evolve in tandem to provide comprehensive protection. Businesses and users alike must take proactive steps to defend against threats, leveraging advanced tools and fostering a culture of caution and awareness.
Check Point Research remains committed to uncovering and mitigating these risks. By staying informed and investing in robust cyber security measures, organisations can protect their data and maintain resilience in the face of these threats,” de Bruin concludes.
