“Banshee Stealer” Mac malware resurfaced in new campaigns
Posted on
by
Joshua Long
The Mac malware family Banshee Stealer is back in the news. First discovered in August 2024, Banshee is “stealer as a service” malware that was sold through Telegram and advertised through dark web forums. Now, variants that initially surfaced in late 2024 are catching headlines due to pecularities in their encryption algorithm and how they have continued to spread into 2025.
Here’s everything you need to know to stay safe from the latest variants of this Mac malware threat.
In this article:
- A brief history of Banshee Stealer
- How is the malware spreading?
- What does the malware do?
- How can I keep my Mac safe from stealer malware?
- Indicators of compromise (IOCs)
- Do security vendors detect this by any other names?
- How can I learn more?
A brief history of Banshee Stealer
Since the first half of 2023, stealer malware such as Atomic macOS Stealer (AMOS, or AtomicStealer) have become a prolific Mac malware threat, focused on gathering and exfiltrating sensitive data from Macs. AMOS and its copycats operate as “malware as a service;” i.e. other threat actors can pay for access to the code base, including new updates and features.
We’ve seen lots of AMOS variants and copycats in the past two years, both for sale on the black market and in the wild. We often write about stealer malware here on The Mac Security Blog (be sure to subscribe to our free e-mail newsletter) and regularly discuss it on the Intego Mac Podcast.
Most often (though not exclusively), stealer malware is distributed through malicious Google Ads campaigns. These advertisements appear at the top of Google search results, where many people will see and click on them; at a glance, they’re often indistinguishable from legitimate Google Ads. But some more recent Banshee Stealer distribution campaigns have used a different distribution method that has not been written about publicly until now; we’ll discuss that more below.
Banshee Stealer came to light in August 2024, though its author (0xe1, aka kolosain) may have tried licensing it as early as mid-July. It was offered through the author’s Telegram channel and a couple of dark web forums. By mid-October, the author began shopping around to sell the whole project to a new owner. In November 2024, the source code for Banshee Stealer reportedly leaked online, prompting the malware’s author to discontinue it. But, of course, this does not necessarily mean that threat actors will avoid using Banshee as their stealer malware of choice for ongoing malware campaigns.
How is the malware spreading?
Throughout the month of October 2024 and in early November, threat actors distributed copies of Banshee Stealer via at least nine repositories on GitHub—a popular, Microsoft-owned site for distributing software and source code. Some malicious GitHub repositories claimed to offer downloads of either popular commercial software for free, or “cracks” (i.e. tools to illegally circumvent the software licensing mechanisms) for that software. These repos claimed to offer software or cracks related to Adobe Acrobat Pro, Adobe Premiere Pro, AutoDesk AutoCAD, Capture One Pro, DaVinci Resolve Studio, Pixelmator Pro, and others. Some of these pages also included Windows downloads distributing Lumma Stealer malware.
One malicious GitHub repo claimed to offer a Mac version of Carnom Wallet Cracker that supposedly would “test the strength and resilience of cryptocurrency wallets.” Ironically, the software was in reality Banshee Stealer, which steals cryptocurrency from its victims’ wallets, as well as other sensitive data.
Some of these GitHub repositories are still actively distributing Banshee Stealer, as of January 14, 2025.
But GitHub wasn’t the only distribution method for recent Banshee Stealer samples. In early December, a fake Telegram site distributed a Trojan horse disk image named Telegram.dmg, supposedly offering a Mac version of the Telegram Messenger app. This disk image contained a Setup app that actually installed Banshee Stealer malware. At least two other domains distributed similar Banshee-laden Trojan horses.
What does the malware do?
As with earlier Banshee Stealer variants, the new versions collect and exfiltrate victims’ passwords, cookies, browser history and autofill data, and cryptocurrency wallets. They also collect victims’ Apple Notes, Microsoft Word documents, and encryption keys. While Chromium-based browsers are the primary targets (in particular, Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Yandex), Banshee also steals cookies from Safari.
Why cookies? While most people tend to think of browser cookies as a privacy-violating tracking method, cookies can also (among other things) keep users logged into sites. So by stealing cookie databases, attackers can often bypass the need to know a victim’s username and password, and even bypass any two-factor authentication method, and get direct access to victims’ accounts. Many popular sites don’t validate whether an authentication cookie may have been stolen and reused on another computer.
While early variants of Banshee Stealer from August avoided running on Macs if their primary language was set to Russian, this is no longer the case for later variants.
After collecting all the targeted data, the recent Banshee Stealer variants exfiltrate victims’ information to a server that appears to be located in Poland, based on its IP address; the August variant exfiltrated data to a server that appeared to be in Russia.
A more technical change in later Banshee variants is that they borrow the same string-encryption algorithm that Apple uses for its XProtect anti-malware technology.
How can I keep my Mac safe from stealer malware?
Some reports erroneously insinuate that the recent Banshee Stealer variants went fully undetected for “months” across the entire antivirus industry. This is largely based on assumptions about scan statistics from the multi-engine file scanner VirusTotal, given historical scan results for a couple of specific Banshee samples. Notably, Intego’s VirusBarrier engine is not one of the more than 60 engines on VirusTotal. Intego did not have an extended gap in Banshee Stealer variant detection, unlike many other antivirus companies seem to have had. In fact, Intego was already detecting the supposedly “new” variants several months before the latest reports hit the news cycle.
If you use Intego VirusBarrier, you’re already protected from this malware. Intego detects Banshee Stealer samples from this campaign as OSX/Amos.ext and OSX/Amos. The associated Lumma Stealer (Windows) variants are detected as trojan/TR/AD.Nekark.flpn, trojan/TR/Crypt.OPACK.Ge, or similar names.
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.
If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s latest Mac operating system, macOS Sequoia.
One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. Just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.
If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware, too.
Indicators of compromise (IOCs)
Following are SHA-256 hashes of malware samples from this Banshee Stealer campaign:
00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93 1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416 32f3544beaf1c96a8118de27737c88d6a95a0a2d27f9d73ec449cbccc39a22e4* 6565021aac88563044ddb0308511fb100de58ae7f37ce78d0462e0b0fb91ab2d* 694280609869d1a89847bb392eb1b2a0914eec8049478b8a1bad14d793b758bc* 6c6fa44ca63e482946a03ca7d00c81b71e98673c577a20acade4c41877b4031a* 6d93358ae755823bd3a7b3193e6d8f9012e4e55d4e661d1ea1e7371b88e6ea8a* 75f9e884dd7dab17a28d661596190f2d54d831494d4328c923c52e2c499362b6* b65d9991a98a3507cdd090749c7119d5f880fad0c19d6b32493b4b4add9c92a3* beee7aee468ced6cf375afdcfa929786f80458a510d2e3cfd2c4fced3429fb5e* c2422c300ea98a1913be36dcfcc8519f0e096799de576dbd5d322e314aae4e11* cdfbcb3d850713c49d451b3e80fb8507f86ba4ad9385e083c2a2bf8d11adc4fb ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038 d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c2 d8ecc92571b3bcd935dcab9cdbeda7c2ebda3021dda013920ace35d294db07be dc6d0decebed37f105b132a7288cb4c269b13a0e7ed0bb923ca08b8c4abcbe9b* e774732ed4f7a13f69d8cc8f5c07741369be5370c3b0a961315058ec3022da64* 3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab° b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114° *first reported by Intego °Lumma Stealer (Windows malware) samples
A couple of currently active Banshee Stealer distribution pages on GitHub.com:
/ArvendraChhonkar/todo/releases /GabrielScipioni/Adobe-Acrobat-Pro-DC-23.003.20244-Intel-Apple/releases * *first reported by Intego
This Banshee Stealer campaign has used the following IP address for its command and control (C&C) server:
41.216.183[.]49
The related Lumma Stealer campaign has reportedly used the following domains for C&C:
authorisev[.]site contemteny[.]site dilemmadu[.]site faulteyotk[.]site forbidstow[.]site goalyfeastz[.]site opposezmny[.]site seallysl[.]site servicedny[.]site
This malware campaign previously used the following domains for distributing a fake Telegram installer and other Trojans:
api7[.]cfd coincapy[.]com fotor[.]software
Network administrators can check logs to try to identify whether any computers may have attempted to contact the GitHub URLs, IP address, or domains above from August 2024 to present, which could indicate a possible infection.
Do security vendors detect this by any other names?
Other antivirus vendors’ names for this Banshee Stealer malware for macOS may include variations similar to the following:
A Variant Of Generik.HXOPFZO, A Variant Of OSX/PSW.Agent.CW, Class.trojan.amos, Class.trojan.generic, Class.trojan.stealer, Dmg.trojan.amos, DMG/ABTrojan.ACGI-, Generic.Trojan.Agent.DY4AJL, HEUR:Trojan-PSW.OSX.Amos.gen, Infostealer/OSX.Banshee, Js.Trojan.Avi.Ncnw, Mac.PWS.Amos.113, Mac.Stealer.162, Mac.Stealer.164, Macho.trojan.amos, Macho.trojan.macos, Macho.trojan.stealer, MacOS:AMOS-AO [Trj], MacOS/ABTrojan.CJXU-, MacOS/ABTrojan.PDHI-1, MacOS/ABTrojan.RCPO-, Malware.OSX/AVA.AMOS.enmvm, Malware.OSX/AVI.AMOS.dplwb, Malware.OSX/AVI.AMOS.psxni, Malware.OSX/GM.Amos.WM, Malware.OSX/GM.Stealer.WX, Osx.Trojan-QQPass.QQRob.Ekjl, Osx.Trojan-QQPass.QQRob.Kzfl, Osx.Trojan-QQPass.QQRob.Nqil, Osx.Trojan-QQPass.QQRob.Qimw, Osx.Trojan-QQPass.QQRob.Rsmw, Osx.Trojan-QQPass.QQRob.Vgil, Osx.Trojan-QQPass.QQRob.Yimw, Osx.Trojan-QQPass.QQRob.Ymhl, OSX.Trojan.Gen.2, OSX/Agent.CW!tr.pws, OSX/AVA.AMOS.enmvm, OSX/AVI.AMOS.dplwb, OSX/AVI.AMOS.psxni, OSX/GM.Amos.WM, OSX/GM.Stealer.WX, OSX/InfoStl-EC, RiskWare:MacOS/SAgnt.D9OKG, Trojan ( 0040f5551 ), Trojan:MacOS/Multiverze, Trojan:MacOS/SAgnt.D!MTB, Trojan.Generic.37082833 (B), Trojan.Generic.37082904 (B), Trojan.Generic.37128040, Trojan.Generic.37178950 (B), Trojan.Generic.37183801 (B), Trojan.Generic.D235D6D1 [many], Trojan.Generic.D235D718 [many], Trojan.Generic.D2374E46, Trojan.Generic.D2376139, Trojan.Generic.D47D35DE, Trojan.GenericKD.75314654 (B), Trojan.MAC.Generic.122608 (B), Trojan.MAC.Generic.D1DEF0, Trojan.OSX.Amos.i!c, Trojan.OSX.Psw, Trojan.OSX.Stealer.i!c, Trojan.SuspectCRC, Trojan[stealer]:MacOS/Amos.gyf, Trojan[stealer]:MacOS/Bitrep.B, Trojan[stealer]:MacOS/Multiverze.Gen, Trojan[stealer]:MacOS/SAgnt.D9OKG, TrojanPSW:MacOS/Other.b6db607e, UDS:Trojan-PSW.OSX.Amos.gen, Win32.Troj.Undef.a
Other vendors’ names for the related Lumma Stealer malware for Windows may include variations similar to the following:
A Variant Of MSIL/TrojanDropper.Agent.GCY, Artemis!3100C7B441CC, BehavesLike.Win32.Generic.dc, Dropper.Agent!8.2F (CLOUD), Dropper.Agent.Win32.612086, Dropper.Msil.Injuke.Vtw9, Dropper/Win.Generic.C5689738, Exe.trojan.msil, Exe.unknown.lazy, Gen:Variant.Lazy.622489 (B), Generic ML PUA (PUA), Generic.mg.3100c7b441ccbda8, HEUR:Trojan.MSIL.Injuke.gen, Mal/Generic-S, Malicious.moderate.ml.score, Malware.kb.c.1000, Malware.Obfus/[email protected], Malware.Obfus/[email protected], Malware.Obfus/[email protected] (RDM.MSIL2:LpzQvUcHrd2UzsKENtWGpg), ML.Attribute.HighConfidence, MSIL/Agent.GCY!tr, Probably Heur.ExeHeaderL, Pua.Hax, Real Protect-LS!3100C7B441CC, Spyware.Infostealer.Lumma, Static AI – Malicious PE, TR/AD.Nekark.flpnz, Trj/GdSda.A, TROJ_FRS.0NA103KU24, Trojan ( 005b61691 ), Trojan-Dropper.MSIL.Agent, Trojan:MSIL/Injuke.02be405e, Trojan:MSIL/Injuke.6787c883, Trojan:Win32/Phonzy.B!ml, Trojan:Win32/RedLineStealer!rfn, Trojan.Crypt.MSIL.Generic, Trojan.Ghanarava.17308746390b72e0, Trojan.Heur!.03012281, Trojan.Injuke!QH3z+Gn5P3I, Trojan.Lazy.D97F99, Trojan.Malware.300983.susgen, Trojan.Malware.74181957.susgen, Trojan.Msil.Kryptik.16001475, Trojan.PWS.Lumma.868, Trojan.TR/AD.Nekark.flpnz, Trojan.Win.Z.Lazy.294912.D, Trojan.Win32.GenusT.ECRG, Trojan.Win32.Injuke.16!c, Trojan.Win32.Save.a, Trojan[dropper]:MSIL/RedLineStealer.Gen, VHO:Trojan.MSIL.Injuke.gen, W32.AIDetectMalware.CS, W32.Common.A2FE11FC, W32/ABTrojan.SZLY-6453, W32/MSIL_Kryptik.LQV.gen!Eldorado, Win/malicious_confidence_100% (W), Win32:PWSX-gen [Trj], Win32.HeurC.KVMH008.a
How can I learn more?
For additional technical details about this Banshee variant, see Antonis Terefos’ write-up.
To learn more about the previous Banshee variant, see Intego’s original report on Banshee Stealer.
Banshee Stealer is the scary new arrival in the Mac malware-as-a-service market
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
