A new malware campaign targeting macOS users has emerged with a dangerous focus on cryptocurrency wallet theft.
The malware, called Nova Stealer, uses a clever approach to trick victims by replacing genuine cryptocurrency applications with fake versions that steal wallet recovery phrases.
This bash-based stealer has been identified attacking users of popular cryptocurrency wallets, including Ledger Live, Trezor Suite, and Exodus.
The attack starts when an unknown dropper downloads and runs a script called mdriversinstall.sh from the command-and-control server at hxxps://ovalresponsibility[.]com/mdriversinstall[.]sh.
This initial script creates a hidden directory at ~/.mdrivers and installs several component,s including a script manager and launcher.
The malware generates a unique user ID using the uuidgen command and stores it in ~/.mdrivers/user_id.txt to track infected systems.
BruceKetta.space security researchers identified the Nova Stealer campaign and noted its modular design. The malware uses an orchestrator script called mdriversmngr.sh that downloads additional modules from the command-and-control server.
These modules come encoded in base64 format and are stored under ~/.mdrivers/scripts. The malware achieves persistence by creating a LaunchAgent plist file labeled application.com.artificialintelligence that ensures the scripts run automatically at every system startup.
One particularly interesting technique used by Nova Stealer is running scripts inside detached screen sessions using the command screen -dmS .
This approach keeps the malicious processes running independently in the background, hidden from the user’s view. The processes even survive when users log out because they run as daemon sessions with the -dmS flag.
Application Swapping and Seed Phrase Theft
Nova Stealer’s most dangerous capability involves swapping legitimate cryptocurrency wallet applications with fake versions.
The malware component mdriversswaps.sh detects if Ledger Live or Trezor Suite are installed on the system by checking paths in /Applications/.
When found, the script removes the original applications using rm -rf and deletes their Launchpad database entries through SQLite commands like DELETE FROM apps/items where title or ids match.
.webp "New Nova Stealer Attacking macOS Users by Swapping Legitimate Apps to Steal Cryptocurrency Wallet Data 3")
The malware then downloads malicious replacement applications from specific domains, including hxxps://wheelchairmoments[.]com for fake Ledger Live and hxxps://sunrisefootball[.]com for fake Trezor Suite.
These ZIP archives are saved to ~/Library/LaunchAgents/ and extracted to replace the original applications. The malware modifies the Dock configuration using /usr/libexec/PlistBuddy to delete the old app entry and add a new one pointing to the fake application.
The fake wallet applications use Swift and WebKit to render phishing pages that look legitimate. When victims open what they believe is their wallet application, they see a recovery interface asking them to enter their seed phrases.
The malicious JavaScript code includes validation against BIP-39 and SLIP-39 word lists to provide auto-complete functionality, making the fake interface feel authentic.
.webp "New Nova Stealer Attacking macOS Users by Swapping Legitimate Apps to Steal Cryptocurrency Wallet Data 4")
As users type their recovery words, the data is sent to endpoints /seed and /seed2 with a 200-400ms delay after each keystroke, allowing attackers to capture partial phrases in real-time without waiting for final submission.
Nova Stealer also runs dedicated exfiltration modules. The mdriversfiles.sh component searches for and steals wallet files, including Trezor IndexedDB logs, Exodus files like passphrase.json and seed.seco, and Ledger’s app.json.
These files are uploaded to the command-and-control server every 20 hours using binary POST requests. Additionally, mdriversmetrics.sh collects system information, including installed applications, running processes, and Dock items, to help attackers profile victims and improve their campaigns.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
