In a recent blog post titled ‘From the Depths: Analyzing the Cthulhu Stealer Malware for macOS,’ cybersecurity firm Cado Security warned Apple Mac users about malware called Cthulhu Stealer, which can compromise their personal details and crypto assets.

Tara Gould, one of Cado’s researchers explained in the post that although macOS systems are known to have a strong reputation for security, the increasing presence of threats like Silver Sparrow, KeRanger, and Atomic Stealer indicates that they are not immune to malware. 

With the recent emergence of the malware-as-a-service (MaaS) named “Cthulhu Stealer”, Mac users must be careful to avoid the loss of their crypto assets. The malware appeared in late 2023 and has been available to bad actors on the dark web for $500 monthly through the Telegram messaging platform.

Cthulhu Stealer Posing as Genuine Software

According to Gould’s post, the Cthulhu Stealer malware comes in the form of an Apple disk image (DMG) with dual binaries, posing as a legitimate app like CleanMyMac, Adobe GenP, and Grand Theft Auto IV.

After the unsuspecting users download and open the app, the malware system requests a password, using macOS’s command-line tool, Osascript, for running AppleScript and JavaScript.

Next, the system requests a second password, specifically targeting the Ethereum wallet, MetaMask, and other popular crypto wallets by Coinbase, Binance, Electrum, Wasabi, Atomic, Chrome Extension, Trust, Coinomi, and Blockchain Wallet.

After retrieving the necessary data, the malware creates a zip archive and stores the stolen data in text files, fingerprints the victim’s system, and retrieves information like IP address and operating system version.

Cado Compares Cthulhu Stealer to Atomic Stealer

In the post, the cybersecurity firm revealed that the Cthulhu Stealer resembles the Atomic Stealer, another malware that targets macOS, stealing their crypto wallets, keychain, and browser credentials.

A comparative analysis of Atomic Stealer and Cthulhu Stealer reveals different pricing models. The former charges affiliates $1000 monthly, while the latter charges $500. 

However, both malware share the same features and functionality implying that the developer of Cthulhu Stealer likely adapted and modified the codebase of Atomic Stealer to create a new variant.

Although the Cthulhu Team no longer operates, Apple users are still at risk of cyber threats and need to remain vigilant and exercise caution while downloading new apps on their devices.

Meanwhile, Android users faced a similar experience per a recent report. A Florida resident Maria Vaca filed a $5 million lawsuit against Google, after losing her crypto holdings to an allegedly fraudulent crypto wallet app she downloaded from the Google Play store.