A new threat campaign targeting macOS users has been dissected by blockchain security firm SlowMist, revealing a sophisticated information stealer capable of hijacking authenticated Telegram sessions, copying cryptocurrency wallet databases, and silently replacing legitimate wallet software with attacker-controlled phishing clones. The discovery underscores a troubling maturation in crypto-targeted malware: attackers are no longer simply phishing for seed phrases — they are engineering deep, persistent access to victims' digital identities and funds in a single, automated strike.

The mechanics of the campaign are deceptively straightforward. It begins with a fake community application distributed through Google Sites — a deliberate choice, since Google's infrastructure lends an air of legitimacy that might lower a cautious user's guard. From that landing point, victims are funneled toward one of two infection vectors: downloading an AppleScript file or executing a Terminal command that is dressed up as a routine security-verification step. Neither action appears obviously malicious to an untrained eye, which is precisely the point. Social engineering remains the most reliable tool in an attacker's arsenal, and this operation deploys it with precision.

Once the initial foothold is established, the malware's capabilities become genuinely alarming. Seizing an authenticated Telegram session is not merely an inconvenience — it grants the attacker full access to the victim's conversations, contacts, and any sensitive data exchanged through the application, all without triggering a new login notification or requiring credentials. For crypto traders and project insiders who routinely discuss wallet addresses, transaction hashes, and private group intelligence on Telegram, a hijacked session is a catastrophic exposure that extends well beyond the wallet itself.

The wallet-targeting component of the attack is where the financial damage becomes direct and immediate. By copying wallet database files, the malware extracts stored keys and transactional metadata in a form that attackers can process offline and at leisure. More insidious still is the application-replacement function: legitimate wallet software installed on the victim's machine is swapped out for a visually identical phishing version under attacker control. A user who notices nothing wrong and opens what they believe to be their trusted wallet application is, in reality, handing every subsequent credential entry directly to the threat actor. This technique effectively converts the victim into an unwitting participant in their own theft.

The use of AppleScript as a delivery mechanism deserves particular attention. AppleScript is a native macOS scripting language with deep system-level access, and because it is a built-in component of the operating system, execution may not trigger the same alerts that accompany unsigned third-party applications. Combined with a Terminal command framed as a security check — a social engineering lure that has become increasingly common across crypto-targeting campaigns — the attack chain is engineered to exploit both technical blind spots and user trust simultaneously.

Distributing the initial lure through Google Sites reflects a broader industry trend in which attackers abuse reputable cloud infrastructure to sidestep domain-reputation filters and security scanners. A URL resolving to sites.google.com carries implicit trust for many users and security tools alike, making it an attractive staging ground that requires no dedicated infrastructure investment from the attacker. This pattern has appeared in multiple campaigns over the past two years, and its continued use suggests it remains effective enough to warrant ongoing deployment.

For the crypto community, SlowMist's findings arrive as a pointed reminder that macOS is no longer the relatively low-risk environment it was once perceived to be. As the platform's adoption has grown among high-net-worth individuals, developers, and institutional participants in the digital asset space, so too has its attractiveness as a target. The assumption that macOS users face a materially lower threat landscape than their Windows counterparts is one the industry can no longer afford to hold.

Practically speaking, users should treat any instruction to run a Terminal command or execute a script file as a significant red flag, regardless of the apparent legitimacy of the site from which it originates. Wallet applications should be downloaded exclusively from official developer sources and verified against published checksums where available. Telegram users in crypto communities — particularly those with access to sensitive project information — should enable two-step verification and periodically audit active sessions through the application's security settings, terminating any sessions they do not recognize. Hardware wallets, which keep private keys isolated from the host operating system entirely, remain the most effective structural defense against database-copying attacks of this kind.

SlowMist's disclosure is a necessary public service, but it also illuminates a market gap: the tooling available to ordinary crypto users for detecting and responding to this class of macOS-level intrusion remains thin. As threat actors continue refining multi-vector attacks that combine social engineering, native scripting languages, and infrastructure camouflage, the security community's ability to surface and communicate these threats quickly will be as important as the technical defenses themselves.

Written by the editorial team — independent journalism powered by Bitcoin News.