Infostealers continue to pose threat to macOS users

Jamf Threat Labs dissects ongoing infostealer attacks targeting macOS users. Each with different means of compromising the victim’s Macs but with similar aims: to steal sensitive user data.

April 5 2024 by

Jamf Threat Labs

Authors: Jaron Bradley, Ferdous Saljooki, Maggie Zirnhelt


Over the past year, the macOS environment has been under constant attack by infostealers. Many of these stealers are targeting individuals involved in the crypto industry with a focus on harvesting credentials along with data from various crypto wallets. Jamf Threat Labs has observed a creative evolution in the strategies and tactics used by these attackers to target users and steal their data.

Threat Labs has tracked two recent attacks that resulted in dropping such stealers onto victims’ systems.

Ongoing Attacks

Attack 1 - Atomic Stealer spread through sponsored Ads

While searching for “Arc Browser” on Google, it was brought to our attention that following the sponsored result for what seems to be the legitimate Arc web browser, actually brings you to a malicious site aricl[.]net that imitates the legitimate

We were not the only ones to have noticed this oddity. Users on Reddit also came to the same finding. Interestingly, the malicious website cannot be accessed directly, as it returns an error. It can only be accessed through a generated sponsored link, presumably to evade detection.

Below is an image of the malicious aricl[.]net site where the malicious app is downloaded by the victim. In some cases,the sponsored link would also direct us to an identical malicious website at located at airci[.]net.

The DMG is signed ad-hoc and provides directions to right-click the app and select open thus overriding any Gatekeeper warnings.

Similar to previous variants of Atomic stealer, it contains minimal strings as most of them are xor encoded to avoid detection which is a common technique for evading static signatures.

This variant of Atomic stealer will call a function named bewta(), which de-xors various bytes with the hardcoded xor key 0x91. The system() function call is then invoked to run AppleScript payloads used for information stealing. Some of the other functions used to steal assets are indicated below:

Dumping plain text passwords out of the keychain requires the user’s macOS password. Infostealer developers have long caught on to the fact that the easiest way to get this password is to simply ask the user for it. We see a prompt generated via a call to AppleScript.

De-xoring the entire executable will reveal many strings related to the stealer's capabilities such as the following AppleScript command.

Most of the behavior for Atomic stealer has already been well documented and we have not observed any significant changes here. Some of the files collected for exfiltration are shown below from a relatively fresh install of macOS.

Lastly, the malware will send a POST request over HTTP to the attackers server which holds a base64 encoded zip file of exfiltrated data in the request body.

Attack 2 - Meethub

Jamf Threat Labs was also tipped off to another ongoing attack after observing the attempted execution of an unsigned executable that had a known bad hash at the following path:


The name of the application and the fact that it was unsigned warranted inquiry. It became clear that digging into this app was worth the effort when it was uncovered that the application name didn’t match the executable name. While it isn’t a requirement of the operating system that the application name and executable name match, such mismatching is uncommon. Further investigation brought us to the website meethub[.]gg.

Meethub, as an organization, is associated with a convincing media presence on Telegram and Medium. The most notable of its known appearances on the internet is on X, where it has accumulated more than eight thousand followers (likely a mix of bots and users), many of whom indicated an interest in cryptocurrency on their profile.

Victims have reported direct messages from scammers posing as harmless individuals hoping to schedule a meeting. In one case, to discuss recording a podcast with the victim and in the other, to discuss a job opportunity. Both profiles showed heavy involvement in Crypto and Blockchain.

Upon reaching out, the attacker requested the use of Meethub as the virtual meeting software for the call. If you browse to the Meethub website and select “Try for free,” you are presented links to both Windows and macOS versions. Upon selecting macOS, a 51-megabyte unsigned pkg is downloaded (7f22760d6d85f8173292d39ea087f35695ad65ab). After selecting the download, the website provides a note on how to get around any Gatekeeper prompts you may encounter.

At first glance, we see that the downloaded application only supports Intel architecture.

>> file /Applications/

/Applications/ Mach-O 64-bit executable x86_64

This is either an interesting choice or an oversight on the malware author’s side. In order for the application to successfully run on the newer ARM architecture, Rosetta must first be installed. In the case where it’s not, the application will fail to open after install and the user must go and and open it manually. They must then follow the Rosetta installation prompts.

The app’s main binary at (3865636ed27ae81f146ed5b9ac9a25f53a6d10a7) begins its work by first executing a number of recon commands such as uname, sw_versand ioreg.

Much like the Atomic stealer sample dissected above, this stealer also prompts the user for their macOS login password using the following AppleScript call.

The malware will continue generating this prompt until the correct password is entered. It then copies the user’s keychain with the following command:

cp ~/Library/Keychains ~/Documents/data/Keychain/kc.db

The infostealer then dumps all it can from the keychain by shelling out to the security command.

security unlock-keychain -p /Users//Library/Keychains/login.keychain-db

After unlocking the keychain with the user’s password, the open-source chainbreaker tool is then executed to collect passwords from the unlocked keychain. The chainbreaker tool (50b8af2019adbbea310bce0259b4a3f3da2e4d7d) is bundled within the application and stored at

Other supported actions of the stealer include:

  • collection of usernames and passwords from browser login data
  • the ability to pull credit card details
  • stealing data from a list of installed crypto wallets, among which are Ledger and Trezor

As each step of the infostealer occurs, the malware sends an update to the IP address 46.101.104[.]172, to track the system's current stage of compromise.

Interestingly, we've observed some behavior around Ledger wallets where the malware will try to download a modified version of Ledger.

However, it appears Ledger has identified and blocked this action.

Although unconfirmed to be directly related, there are a number of interesting similarities between this stealer and the stealer originally documented as Realst stealer. Both share a handful of features, such as the chosen language of Rust for the main executable, the use of chainbreaker, and the fact that the chainbreaker machO hash can be seen within a number of video game-like pkgs — an approach used by Realst — that have been uploaded to VirusTotal and identified as malicious.


The attacks discussed in this blog post are two of many different infostealer attacks observed against macOS users over the past year. As discussed, these attacks are often focused on those in the crypto industry as such efforts can lead to large payouts for attackers. Those in the industry should be hyper-aware that it’s often easy to find public information that they are asset holders or can easily be tied to a company that puts them in this industry. Many of us operate under the false assumption that scammers are stumbled upon rather than reaching out directly to their victims.

This isn’t the case.

Social engineering for the sake of crypto gain is being done by both APT groups and cybercriminals. Building rapport before infiltrating is happening more frequently on the macOS platform. Users need to remain vigilant and on alert for these types of attacks.

Update: April 5th, 2024

While monitoring for similar indicators of these malware families, Jamf Threat Labs encountered an additional website hosting the Atomic Stealer malware at suarometa[.]site. The website is yet another fairly convincing one that claims to be hosting a video game allowing users to generate NFTs as they play through it.

Upon visiting their Twitter and Instagram links, you immediately notice that both have tens of thousands of followers, however, both have a minimal number of posts. The website hosts a Windows and Mac version of Atomic Stealer. Selecting the Windows version grabs the download from a Dropbox link while selecting the Mac version link directs to mandkhome[.]com/process.php. This URL then downloads a dmg file providing a different hash each time. Upon opening that dmg file, the user is met with the familiar prompt of “right-click click open”, resulting in the overriding of Gatekeeper if the user follows said instructions.

This Atomic Stealer sample is mildly different than the one discussed previously in this blog post. Its goal and logic, however, ultimately remain the same. The user is prompted for a password and the theft of their credentials and sensitive files occurs.


Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.