MacOS malware hijacks Telegram sessions, targets crypto wallets: SlowMist
Source Entity
Cointelegraph by Zoltan Vardai

A sophisticated macOS malware is actively targeting Telegram sessions and various cryptocurrency wallets to steal sensitive credentials. Users are urged to be cautious of fake applications designed to phish for recovery phrases.
The Rising Threat to macOS Ecosystems
Recent reports from the blockchain security firm SlowMist have uncovered a sophisticated information-stealing malware specifically targeting macOS users. This malicious software is designed to infiltrate systems and bypass standard security layers to gain access to highly sensitive data, including Telegram Desktop sessions and various cryptocurrency wallet databases. The emergence of this threat highlights a significant shift in cybercriminal tactics, moving away from broad-spectrum attacks toward highly targeted operations aimed at high-value digital assets.
Mechanics of the Infiltration
The malware operates by systematically harvesting data from the macOS Keychain, Safari cookies, and Apple Notes, providing attackers with a comprehensive profile of the victim's digital life. By successfully copying authenticated Telegram Desktop session data, the attackers can effectively impersonate the user, potentially accessing private conversations and sensitive business communications. This breach of session integrity is particularly alarming as it allows for unauthorized access without needing to bypass two-factor authentication if the session is already active.
Targeting the Crypto Infrastructure
Beyond communication platforms, the primary goal of this malware appears to be the theft of cryptocurrency holdings. The malicious code is configured to locate and exfiltrate databases associated with over a dozen popular cryptocurrency wallets. Furthermore, it explicitly searches for wallet data stored by full-node clients, including Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core. By harvesting these databases, attackers can attempt to decrypt the information offline using passwords obtained from the system's Keychain or other stored browser data.
Social Engineering and Phishing Tactics
In addition to technical extraction, the malware employs social engineering tactics to deceive users. It utilizes fake applications specifically designed to trick victims into voluntarily entering their wallet recovery phrases. This method targets the most critical point of failure in security: the human user. By masquerading as legitimate software, the malware exploits the trust users place in their operating system, turning the device into a conduit for the theft of private keys.
Broader Implications and Future Trends
This development signifies a growing trend where macOS is no longer viewed as an impenetrable fortress by cybercriminals. As cryptocurrency adoption grows and desktop-based messaging apps like Telegram become central to digital asset management, the motivation for such attacks will likely increase. This event serves as a stark reminder for users to practice rigorous digital hygiene, including the use of hardware wallets, avoiding unofficial application downloads, and maintaining strong, unique passwords that are not stored in easily accessible local files.
Conclusion
The discovery by SlowMist underscores the evolving threat landscape facing macOS users. As attackers refine their methods for decrypting wallet data offline and hijacking active sessions, the barrier to entry for digital asset theft continues to lower. Future security trends will likely focus on more robust encryption for local wallet databases and enhanced sandboxing for messaging applications to prevent the unauthorized copying of session tokens.