A new macOS data stealer is going after Apple users

News
By published

Cthulhu Stealer is capable of grabbing passwords, system data, and more.

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

Cybersecurity experts from Cado Security have uncovered a new information-stealing malware, targeting Apple macOS endpoints.

The malware is called Cthulhu Stealer, and is capable of stealing all sorts of data - system information, iCloud Keychain passwords (using an open-source tool called Chainbreaker), other login credentials, web browser cookies, and Telegram account information.

Furthermore, it prompts victims to enter their system password, as well as login details for the popular MetaMask cryptocurrency wallet.

A copy of Atomic Stealer

"The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts," Cado Security’s researchers said in their report.

"The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even including the same spelling mistakes."

Victims are usually tricked into downloading the malware, the researchers added, as it is advertised as legitimate software and games, posing as the likes of CleanMyMac, Grand Theft Auto IV, and Adobe GenP (an open source tool that allows Adobe users to work around Creative Cloud services and activate the software without a serial key).

For the malware to work, the victims need to give explicit consent (since the infostealer needs to make it past Gatekeeper protections). However, since they expect legitimate software, most victims probably grant this consent.

Once Cthulhu, which apparently costs $500 a month to run and works on both x86_64, and Arm architecture, grabs all the interesting information, it compresses it into a .ZIP archive and then exfiltrates, by unknown means, to a command-and-control (C2) server.

The good news is that the malware isn’t particularly advanced, and will probably picked up by most of the best antivirus products available today.

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Ransomware
Microsoft spies a new and worrying macOS malware strain
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
These fake macOS updates are actually just looking to spread malware
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Mac users targeted with new malware, so be on your guard
Android phone malware
Screen reading malware found in iOS app stores for first time - and it might steal your cryptocurrency
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
More about security
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Neon artwork of a stylised SSD against a brick wall.

The dawn of PCIe 7.0 could mean faster SSDs for everyone - but not just yet
See more latest
Most Popular
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Micron SOCAMM memory module
World's biggest RAM vendors develop superior memory form factor exclusively for Nvidia, sorry Intel and AMD
Asus Vivobook 18
The Asus Vivobook 18 is the only affordable 18-inch laptop right now, and it comes with a powerful CPU no other laptop has
Peter Claffey as Ser Duncan the Tall in The Knight Of The Seven Kingdoms
A Knight Of The Seven Kingdoms: The Hedge Knight – everything we know so far about HBO's Game of Thrones prequel
Vinpower iXFlash and iXFlash Cube
This tiny 2TB USB Flash drive can both charge and backup your iPhone at the same time
Compal Adapt X modular laptop
One of the largest laptop manufacturers releases concept pictures of Adapt X, a modular laptop in the same vein as Framework