A sophisticated macOS information stealer capable of hijacking live Telegram sessions, exfiltrating cryptocurrency wallet databases, and silently replacing legitimate wallet applications with attacker-controlled phishing clones has been identified by SlowMist, one of the blockchain security industry's most prominent threat-intelligence firms. The discovery marks a significant escalation in the technical complexity of crypto-targeted attacks on Apple's desktop operating system — a platform many in the digital-asset community have long considered relatively secure compared to Windows-based alternatives.

The malware operates as a full-spectrum information stealer, a category of malicious software engineered to quietly harvest as much sensitive data as possible before the victim is aware of any compromise. What distinguishes this particular campaign is its three-pronged payload: it can seize authenticated Telegram sessions, granting attackers direct access to a victim's messaging identity without requiring their credentials; it copies crypto wallet database files, potentially exposing private keys and seed data stored locally; and it goes one step further by replacing legitimate wallet applications already installed on the machine with attacker-controlled phishing software designed to capture everything typed into it thereafter. This layered approach means a single successful infection can yield both immediate account access and long-term credential harvesting.

The initial attack vector is as calculated as the payload itself. The campaign begins with a counterfeit community application — a fake group or platform interface — hosted through Google Sites, lending it a veneer of institutional legitimacy that would not trigger standard browser security warnings. From there, targets are funneled toward one of two infection pathways: downloading an AppleScript file — a macOS-native scripting format capable of automating system-level tasks — or executing a Terminal command presented to the victim as a routine security-verification step. Both methods exploit the trust users place in familiar system interfaces. An AppleScript or Terminal prompt in a macOS environment carries an implicit authority that an executable file on other platforms might not, making the social engineering dimension of this campaign particularly effective against technically literate targets.

The choice of Google Sites as a hosting platform is deliberate and instructive. By leveraging Google's infrastructure, attackers inherit the domain reputation of one of the world's most trusted technology companies, effectively bypassing URL-based filtering tools that security-conscious users and enterprise firewalls depend upon. This technique — sometimes called living-off-trusted-sites — has become increasingly common among sophisticated threat actors because it dramatically lowers the barrier to successful phishing at scale, with no dedicated infrastructure to maintain or defend.

The targeting of Telegram sessions deserves particular attention in the context of the cryptocurrency ecosystem. Telegram remains the dominant communication platform for decentralized finance (DeFi) communities, project teams, trading groups, and token launch announcements. Persistent access to an authenticated Telegram session gives an attacker the ability to impersonate the victim within these communities — soliciting funds, distributing further malware links, or manipulating market sentiment with apparent authenticity. Combined with wallet database theft, this creates a scenario where both a victim's financial assets and their social capital within the crypto space are simultaneously compromised.

SlowMist's identification of this campaign reinforces a pattern that the firm and its peers have documented repeatedly over the past several years: the crypto industry's expanding attack surface is attracting increasingly sophisticated adversaries willing to invest in multi-stage, operationally complex intrusion campaigns. The macOS platform, once treated as something of an afterthought by malware developers due to its comparatively smaller user base, is now a primary target precisely because its users — disproportionately represented among high-net-worth crypto holders, developers, and founders — represent a concentrated pool of high-value assets.

What This Means for the Crypto Security Landscape

The SlowMist findings carry implications that extend well beyond individual victims. For exchanges, custodians, and DeFi protocols whose team members communicate over Telegram and manage wallets on macOS devices, this class of threat represents an operational security risk at the institutional level. A single compromised developer session or internal wallet could expose protocol infrastructure, treasury assets, or user funds far beyond the scale of a retail hack. Security teams should treat unverified download prompts — however legitimate their apparent source — as hostile by default, and organizations should consider restricting AppleScript execution permissions and Terminal access on non-developer endpoints as a baseline hardening measure. For individual users, the most actionable defense remains straightforward: never execute Terminal commands sourced from external websites or community channels, regardless of how the instruction is framed. The attackers in this campaign understand that the weakest link in any security chain is the moment a trusted interface is used to authorize a malicious action — and they are engineering their campaigns accordingly.

Written by the editorial team — independent journalism powered by Codego Press.