“Cthulhu Stealer” Malware Targets MetaMask And Other Crypto Wallets On Apple Mac Devices

Updated: 26 August 2024

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

A new strain of malware by the name of “Cthulhu Stealer” is targeting Apple Mac users and can extract personal information as well as gain access to many crypto wallets including MetaMask.

The new malware appears as an Apple Disk image and disguises itself as a legitimate application such as CleanMyMac and Adobe GenP.

Cthulhu Stealer Prompts Mac Users To Enter Their MetaMask Password

Mac users who open the malicious Apple Disk image are first prompted to enter their system’s password. Thereafter, a second prompt asks users to enter the passphrase for their MetaMask wallets.

Cthulhu Stealer also targets other popular wallets that may be installed on the users’ device. Wallets such as those from Coinbase, Wasabi, Electrum, Binance, Atomic and Blockchain Wallet are all at risk.

Information such as the device’s IP address and operating system are also extracted by the malware once it has stored the stolen data in text files.

Similarities Between The New Malware And The Atomic Stealer Identified In 2023

Cybersecurity firm Cado Security drew comparisons between Cthulhu Stealer and a malware that was identified in 2023 called Atomic Stealer in a recent blog post. Both malwares are designed to steal crypto wallet information, browser credentials and keychain information.

“The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code,” said a researcher from Cado Security in the blog post. Both malwares even include the same spelling mistakes in their prompts, the researcher added.

Recently, Cado Security has identified a malware-as-a-service (MaaS) targeting macOS users named “Cthulhu Stealer”. This blog will explore the functionality of this malware and provide insight into how its operators carry out their activities: https://t.co/nJCt6RnUfG

— Cado (@CadoSecurity) August 22, 2024

Cthulhu Stealer is being rented out on Telegram to affiliates for $500 per month. The lead developer of the malware also gets a percentage of the profits from every successful deployment.

However, scammers behind the malware seem to no longer be active due to disputes over payments that have led to accusations of an exit scam by affiliates.