Stealers on the Rise: A Closer Look at a Growing macOS Threat

    Thursday, February 6, 2025 In: Threat Research Print

    Date: 02/06/2025

    Severity: High

    Summary

    We’ve observed a growing wave of attacks targeting macOS users across various regions and industries. Our research highlights three prominent macOS infostealers—Poseidon, Atomic, and Cthulhu—responsible for exfiltrating sensitive credentials, financial data, and intellectual property, often leading to breaches and financial losses. Despite their seemingly limited functionality, infostealers now represent the largest category of new macOS malware in 2024. Our telemetry shows a 101% rise in macOS infostealer detections between the last two quarters of 2024.

    Indicators of Compromise (IOC) List

    IP Address :

    94.142.138.177

    194.169.175.117

    194.59.183.241

    70.34.213.27

    89.208.103.185

    Hash :

    599e6358503a0569d998f09ccfbdeaa629d8910f410e26df0ffbd68112e77b05

a33705df80d2a7c2deeb192c3de9e7f06c7bfd14b84f782cf86099c52a8b0178

cfa8173e681bf6866e06b1a971dab03954b28d3626d96ac0827c5f261e7997cd

831f80f6e6f7be8352aba0b54b3e55ade63f8719c7e6f8cfa19ee34af5a07deb

a9fe32498f6132b9c39ae16524bdb3d71b451017a2d3acf117416a0dc9a89ce5

3eac9c66a712f74d9e93e24751220a74b2c7e5320c74f1f7b4931d8181c7f26c

9f4f286e5e40b252512540cc186727abfb0ad15a76f91855b1e72efb006b854c

5880430d86d092ac56bfa4aec7e245e3d9084e996165d64549ccb66b626d8c56

0bb4ba056d64fff21d13b53b5c1bd5ccb89bed27e66e2b7ff60ddcf47c1342b4

1b9b929e63be771393b6a4e526930eedb78f279174711bd2f19dfa8545f6e714

c4e7320945caf9dc4dca11f6ad0170bc6fc2148de0cdc8aa15a236b248165d39

a8aa1d7f940f0a8ccd516e52232b103d343826e13df9e4d9567f75e996683886

09852c1f67939efad0f0baeead5d23dc9cd53eec0f1f6069f041dfd4e0e83c3f

b94067535123dd236a075d54afa34fef80324f7d1375f55c29ca70393e6492b2

9390108ca021b5f5c8c25849c1d6903c8a30568e822ce22e01e96381ea2df3b5

2d232bd6a6b6140a06b3cf59343e3e2113235adcf3fb93e78fa3746d9679cfc3

d8d29c2906145771e1c12d6520a826c238d5672f256779326ba38859dfb9cf4c

6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12

a772451ddd6897c00ce766949fc82e30cfb64a6b31b44bfd9068a76ab99dd188

ad32e638216b859855f78a856f8f4e3aea66add550619a4bde08754e2c218186

dd831c4aaaceb9f063642ae729956a716e29e0c5452526996e92959cca820914

57ece6ae15a8d16a24bad097b4455dc6aec4a24c139d62d05c59330620c3e90e

93f33e76c57240dda2b80b0270ad867a4c77ee7ad4ac135d086398e789e4dbc9

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address :

    dstipaddress IN ("89.208.103.185","94.142.138.177","70.34.213.27","194.169.175.117","194.59.183.241") or ipaddress IN ("89.208.103.185","94.142.138.177","70.34.213.27","194.169.175.117","194.59.183.241") or publicipaddress IN ("89.208.103.185","94.142.138.177","70.34.213.27","194.169.175.117","194.59.183.241") or srcipaddress IN ("89.208.103.185","94.142.138.177","70.34.213.27","194.169.175.117","194.59.183.241")

    Hash :

    sha256hash IN ("6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12","dd831c4aaaceb9f063642ae729956a716e29e0c5452526996e92959cca820914","c4e7320945caf9dc4dca11f6ad0170bc6fc2148de0cdc8aa15a236b248165d39","9f4f286e5e40b252512540cc186727abfb0ad15a76f91855b1e72efb006b854c","a772451ddd6897c00ce766949fc82e30cfb64a6b31b44bfd9068a76ab99dd188","3eac9c66a712f74d9e93e24751220a74b2c7e5320c74f1f7b4931d8181c7f26c","831f80f6e6f7be8352aba0b54b3e55ade63f8719c7e6f8cfa19ee34af5a07deb","09852c1f67939efad0f0baeead5d23dc9cd53eec0f1f6069f041dfd4e0e83c3f","d8d29c2906145771e1c12d6520a826c238d5672f256779326ba38859dfb9cf4c","a33705df80d2a7c2deeb192c3de9e7f06c7bfd14b84f782cf86099c52a8b0178","57ece6ae15a8d16a24bad097b4455dc6aec4a24c139d62d05c59330620c3e90e","cfa8173e681bf6866e06b1a971dab03954b28d3626d96ac0827c5f261e7997cd","5880430d86d092ac56bfa4aec7e245e3d9084e996165d64549ccb66b626d8c56","2d232bd6a6b6140a06b3cf59343e3e2113235adcf3fb93e78fa3746d9679cfc3","599e6358503a0569d998f09ccfbdeaa629d8910f410e26df0ffbd68112e77b05","93f33e76c57240dda2b80b0270ad867a4c77ee7ad4ac135d086398e789e4dbc9","a9fe32498f6132b9c39ae16524bdb3d71b451017a2d3acf117416a0dc9a89ce5","1b9b929e63be771393b6a4e526930eedb78f279174711bd2f19dfa8545f6e714","a8aa1d7f940f0a8ccd516e52232b103d343826e13df9e4d9567f75e996683886","0bb4ba056d64fff21d13b53b5c1bd5ccb89bed27e66e2b7ff60ddcf47c1342b4","b94067535123dd236a075d54afa34fef80324f7d1375f55c29ca70393e6492b2","9390108ca021b5f5c8c25849c1d6903c8a30568e822ce22e01e96381ea2df3b5","ad32e638216b859855f78a856f8f4e3aea66add550619a4bde08754e2c218186")

    Reference:    

    https://unit42.paloaltonetworks.com/macos-stealers-growing/ 


    Tags

    MalwarePoseidonAtomicCthulhuFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.