Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

MacStealer

MacStealer is a macOS-focused information stealer observed in 2023 and referenced alongside other emerging macOS infostealer families such as Atomic Stealer, Pureland, RealStealer, RustBucket, DazzleSpy, and MacSync Stealer. The provided content identifies it as malware used to target macOS users, but does not supply high-confidence technical details about its internal functionality, persistence, command-and-control infrastructure, specific infection chain, or indicators of compromise unique to MacStealer itself. The content does state that attackers have used social-engineering tactics, including abusing ChatGPT-themed lures, to trick Mac users into installing MacStealer. Based on the available material, MacStealer should be characterized as a macOS-targeting infostealer family seen in 2023, but further behavioral and IOC-level enrichment is not available in the provided content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1204User ExecutionEvidence1

MacStealer arrives to target macOS systems as an unsigned disk image (.DMG) file. Users are manipulated to download and execute this file onto their systems.

Credential Access

3 techniques
T1056Input CaptureEvidence1

Once achieved, a bogus password prompts users in an attempt to steal their real password. MacStealer then saves the password in the affected system’s temporary folder (TMP).

T1555Credentials from Password StoresEvidence1

It can also extract the base64-encoded form of the database of Keychain, Apple’s password manager... Keychain database in its encoded (base64) form Keychain password in text format

T1555.003Credentials from Web BrowsersEvidence1

Account passwords, browser cookies, and stored credit card details in Firefox, Chrome, and Brave

Collection

3 techniques
T1005Data from Local SystemEvidence1

The malware then proceeds to collect and save the following... Cryptocurrency wallets... Various files (.TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .PPT, .PPTX, .JPG, .PNG, .CVS, .BMP, .MP3, .ZIP, .RAR, .PY, .DB) System information in text form

T1056Input CaptureEvidence1

Once achieved, a bogus password prompts users in an attempt to steal their real password. MacStealer then saves the password in the affected system’s temporary folder (TMP).

T1560Archive Collected DataEvidence1

MacStealer also compresses everything it stole in a ZIP file and sends it to remote C&C servers for the threat actor to collect later.

Command and Control

1 technique
T1071Application Layer ProtocolEvidence1

MacStealer uses channels in Telegram as its command-and-control (C2) center.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

MacStealer also compresses everything it stole in a ZIP file and sends it to remote C&C servers for the threat actor to collect later. At the same time, a summary version of the information it stole is sent to pre-configured Telegram channels

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app20 days ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
9to5macNews
Dec 22, 2025
MacSync Stealer variant finds a way to bypass Apple malware protections

MacStealer is a stealer malware targeting Mac users, typically distributed through social engineering tactics such as tricking users into running malicious commands.

Read more
sentinelone blogNews
Jan 11, 2024
Mac Stealer Malware | macOS MetaStealer Spreads in Targeted Attacks

Named as one of several new macOS infostealer families observed in 2023.

Read more
sentinelone blogNews
May 3, 2023
Atomic Stealer: New Variant of macOS Malware on Telegram

A macOS-specific infostealer mentioned as being offered for sale in crimeware forums.

Read more
cyble blog historicNews
Apr 26, 2023
New Atomic MacOS Stealer For Sale On Telegram

Previously, there have been several cases where Threat Actors have targeted macOS users with various families of malware, including MacStealer, RustBucket, DazzleSpy, etc.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.