Check Point Research (CPR) has uncovered a new stealthier version of the Banshee macOS stealer that was first reporter in the later part of 2024. A new development seen was how the infostealer latest version introduced string encryption taken from Apple’s XProtect, likely causing antivirus detection systems to overlook the malware, making it a more potent threat to users.
New Banshee Stealer Version Bypassing Antivirus Protections threatening over 100 million macOS users
Since the source code for Banshee Stealer was leaked in November 2024, its operation was reported to have been officially shut down. However, Check Point Research (CPR) has uncovered ongoing campaigns actively distributing Banshee Stealer via phishing websites. Compounding the threat, a fresh version of Banshee has been detected, capable of stealing sensitive data and cryptocurrency wallet information from macOS users, who are said to number over 100 million according to a Statista report. As macOS devices become increasingly popular, they are emerging as a prime target for cybercriminals, challenging the common assumption that built-in security features like XProtect offer comprehensive protection.
This discovery highlights the persistent danger of leaked malware, which continues to fuel cyberattacks even after official operations cease. As the use of macOS-based crypto wallets grows, it becomes more critical for users to adopt proactive cyber security measures. While XProtect offers valuable defense, the evolving sophistication of malware demands additional vigilance and layered security to protect against emerging threats.
Banshee Stealer Targets macOS Wallets and Sensitive Data
Sensitive Data Exposure: The malware targets a wide range of personal data, including crypto wallet credentials.
Crypto Wallets: Popular wallets on macOS devices, such as Trust Wallet, MetaMask, and Coinbase Wallet, are among the primary targets. According to a report from Dune Analytics, Trust Wallet has nearly 170 million users worldwide, with approximately 2.5 million new users joining each month
New Operators of Banshee Stealer Break Tradition by Targeting Russian Users
One of the key changes in the latest version of Banshee Stealer is the removal of the Russian language check—a feature that previously caused the malware to terminate operations when it detected Russian language settings. This change signals a significant shift in targeting strategy, suggesting that the malware is now being utilized by new threat actors who are unconcerned about impacting Russian users. Unlike the original operators, who deliberately avoided Russian targets, these new groups appear to have no such geographic or political constraints, further broadening the malware’s potential reach and amplifying its global threat.
Eli Smadja, Security Research Group Manager at CPR: “MacOS is exposed to attacks just like any other operating system. Like any other operating system, it has been historically regarded as more secure than Windows, though this perception is gradually evolving. Modern malware campaigns, which target both macOS and Windows users, are growing more sophisticated in their methods. Cybercriminals rely heavily on social engineering techniques, such as phishing and fake software updates, to trick users into downloading harmful software. These attacks are not limited to just one operating system—they are designed to exploit common human vulnerabilities, not platform-specific flaws.