In recent years, the belief that macOS systems are immune to malware has been increasingly challenged. With the emergence of threats like Silver Sparrow, KeRanger, and Atomic Stealer, macOS users are becoming more aware of the vulnerabilities in their systems.
The latest addition to this growing list is the Cthulhu Stealer, a malware-as-a-service (MaaS) identified by Cado Security.
Available for rent at $500 per month, this malware targets macOS users and aims to steal sensitive data. This article delves into the workings of Cthulhu Stealer, its operators, and the implications for macOS security.
Technical Analysis of Cthulhu Stealer
Cthulhu Stealer is distributed as an Apple disk image (DMG) containing binaries for both x86_64 and ARM architectures. Written in GoLang, the malware masquerades as legitimate software.
Once the user mounts the DMG, they are prompted to open the software, which uses the macOS command-line tool osascript to request the user’s password.
Upon entering their password, users are further prompted for their MetaMask password. The malware creates a directory in /Users/Shared/NW to store credentials in text files.
It uses Chainbreak to dump Keychain passwords, storing them in Keychain.txt. The stolen data is then archived in a zip archive, and a notification is sent to a command-and-control (C2) server to alert operators of new logs.
The malware collects system information, including IP details, OS version, and hardware specifics, and stores it in text files.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial
Impersonation and Data Theft
Cthulhu Stealer impersonates disk images of popular software such as CleanMyMac, Grand Theft Auto IV, and Adobe GenP. Its primary function is to steal credentials and cryptocurrency wallets from various sources, including game accounts.
The malware checks installation folders in Library/Application Support/[file store] and dumps their contents into text files.
The malware targets a wide range of data, including browser cookies, Coinbase and MetaMask wallets, and Telegram account information. A comprehensive list of stolen data includes:
- Browser Cookies
- Cryptocurrency Wallets (e.g., MetaMask, Coinbase, Wasabi)
- Game Account Information (e.g., BattleNet)
- Keychain and SafeStorage Passwords
Comparison to Atomic Stealer
Cthulhu Stealer shares similarities with Atomic Stealer, another infostealer targeting macOS. Both are written in GoLang and use osascript to prompt users for passwords.
Atomic Stealer is sold for $1000 monthly on Telegram, and it appears that Cthulhu Stealer’s developer may have modified Atomic Stealer’s code. The similarities in functionality and even spelling mistakes suggest a close connection between the two.
The Operators Behind Cthulhu Stealer
The developers and affiliates of Cthulhu Stealer, known as the “Cthulhu Team,” operate primarily through Telegram. The stealer is rented out for $500 per month, and affiliates share earnings based on their deployment success.
Cado Security found Cthulhu Stealer on two well-known malware marketplaces, where it is advertised and communicated.
In 2024, affiliates filed complaints against the leading operator, “Cthulhu” or “Balaclavv,” for non-payment. Accusations of scamming led to Cthulhu’s permanent ban from the marketplace.
The rise of macOS-targeted malware like Cthulhu Stealer underscores the importance of vigilance in cybersecurity. While the Cthulhu Team may no longer be active, the threat to macOS users remains.
To protect against such threats, users should:
- Download software only from trusted sources like the Apple App Store.
- Enable macOS’s built-in security features, such as Gatekeeper.
- Keep systems and applications updated with the latest security patches.
- Consider using reputable antivirus software for added protection.
By staying informed and taking proactive measures, macOS users can significantly reduce the risk of falling victim to malware and ensure their systems remain secure.
Indicators of Compromise
| Filename | sha256 |
| Launch.dmg | 6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12 |
| GTAIV_EarlyAccess_MACOS_Release.dmg | e3f1e91de8af95cd56ec95737669c3512f90cecbc6696579ae2be349e30327a7 |
| AdobeGenP.dmg | f79b7cbc653696af0dbd867c0a5d47698bcfc05f63b665ad48018d2610b7e97b |
| Setup2024.dmg | de33b7fb6f3d77101f81822c58540c87bd7323896913130268b9ce24f8c61e24 |
| CleanMyMac.dmg | 96f80fef3323e5bc0ce067cd7a93b9739174e29f786b09357125550a033b0288 |
Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial