May 2025 – White Hat Mac

AppleProcessHub stealer

Researchers at Kandji dug into a new stealer, using the command and control server domain appleprocesshub[.]com, first noticed by MalwareHunterTeam on Twitter (no, I will not call it X, nor will I link to anything there). Findings are both interesting and vague.

Malware campaigns targeting Ledger users

Moonlock Lab outlined 4 different campaigns, all targeting users of the Mac version of Ledger Live, a cryptocurrency management app. Among other techniques described, they mentioned a newly-observed technique for phishing seed phrases.

A look at a modern Python stealer

The folks over at Jamf found and analyzed a stealer built in Python, and compiled into a Mac app using PyInstaller. As they point out, it’s not new to see Mac malware using PyInstaller, but to their knowledge this is the first stealer to do so. Let’s take a look.

Malicious npm packages infect Cursor AI

Kirill Boychenko revealed, on May 7, findings that showed several malicious npm packages targeting Mac developers. The malware was specifically targeting developers using the Cursor AI code editor, with the purpose of stealing Cursor credentials and modifying the Cursor app.

Mac stealer distributed via fake CAPTCHAs

In a very interesting article on BadByte, it was revealed that a malicious CAPTCHA had been spotted on a legitimate site that had been compromised. The CAPTCHA was designed to trick the user into actions that would infect the machine with Atomic Stealer. Worse, this campaign, dubbed MacReaper, was then tracked to around 2,800 other potentially compromised sites.

Banshee stealer updates

Kaspersky posted a summary of some high-level updates on Banshee back in January. Although it’s a bit light on specific details about behavior, there’s still some very interesting information there.

Reboot!

This blog has languished without a clear purpose ever since I created it. I simply never had time to flesh it out. It’s time for that to change. Expect to see more articles here, starting now!