Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Banshee

Banshee is a macOS infostealer/MaaS family observed in 2024 and 2025 and part of the broader macOS stealer ecosystem alongside Atomic, Poseidon, and Cthulhu. It has been observed targeting macOS systems across numerous organizations. Reported capabilities include bypassing Apple’s XProtect, validating user passwords with the command dscl /Local/Default -authonly, and stealing data from macOS Keychain, web browsers, and cryptocurrency wallets. The malware includes anti-analysis behavior, including avoiding Russian-language systems. Distribution has been described as malware-as-a-service and often involves disguising the malware as legitimate applications such as Obsidian; additional reporting notes macOS stealers including Banshee being distributed via free/cracked software and malicious ads. The source code for Banshee reportedly leaked. High-confidence targeting is macOS users, particularly for credential, browser, and crypto-wallet theft.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
moonlock blogNews
Apr 8, 2026
notnullOSX: A new Mac stealer targeting $10K+ crypto wallets

A named macOS stealer referenced as part of the broader stealer ecosystem discussed in the article.

Read more
emsisoftNews
Nov 20, 2025
Mac Specific Threats and Analysis

macOS infostealer (MaaS) that validates user passwords via dscl auth checks, includes anti-analysis/locale checks, and targets Keychain, browser data, and crypto wallets; noted for XProtect bypass.

Read more
scworldNews
Nov 3, 2025
Infostealers have transformed cybercrime – here’s how CISOs can stop them

A macOS infostealer family observed in the wild, often delivered through cracked software and malicious advertising, intended to harvest credentials and other monetizable information.

Read more
red canary threat reportNews
Mar 11, 2024
Info Stealers | Red Canary Threat Detection Report

macOS stealer family referenced as active in 2024; source code reportedly leaked.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.