New MacOS Malware ‘Cthulu Stealer’ Targets Crypto Wallets

In a concerning development for macOS users and cryptocurrency holders, security researchers have identified a new malware-as-a-service (MaaS) threat named "Cthulu Stealer." According to a recent report by Cado Security, this malware specifically targets macOS systems, challenging the long-held belief that Apple's operating system is immune to such threats. While macOS has maintained a reputation for security, recent years have seen an increase in malware targeting Apple’s platform. Notable examples include Silver Sparrow, KeRanger, and Atomic Stealer. Cthulu Stealer is the latest addition to this growing list, indicating a shift in the cybersecurity landscape for macOS users.

How Cthulu Stealer Works

Cthulu Stealer is distributed as an Apple disk image (DMG) file, disguising itself as legitimate software such as CleanMyMac, Grand Theft Auto IV, or Adobe GenP. Written in GoLang and designed for both x86_64 and ARM architectures, the malware operates by:

A Connection to Atomic Stealer

Cthulu Stealer shares similarities with Atomic Stealer, another macOS-targeted malware identified in 2023. The resemblance in functionality suggests that Cthulu Stealer may be a modified version of Atomic Stealer.

The Cthulhu Team and the Malware-as-a-Service Model

The malware is operated by a group known as the "Cthulhu Team," who use Telegram for communication and offer the stealer for rent at $500 per month as part of a malware-as-a-service model. However, recent developments suggest trouble within the operation. Affiliates have lodged complaints against the main developer, known as "Cthulhu" or "Balaclavv," accusing them of withholding payments. This has led to the developer being banned from at least one malware marketplace. Read more at Decrypt.