Cybersecurity researchers uncovered a sophisticated macOS malware campaign distributing the Poseidon Stealer through a counterfeit DeepSeek AI platform website.
This malware-as-a-service (MaaS) operation employs advanced social engineering tactics combined with anti-analysis techniques to compromise sensitive user data, marking a significant escalation in macOS-targeted threats.
The attack chain begins with malvertising campaigns redirecting users to deepseek.exploreio[.]net, a domain hosting a near-perfect replica of the legitimate DeepSeek AI interface.
Upon clicking “Download for Mac OS,” victims receive a DMG file named DeepSeek_v.[0-9].[0-9]{02}.dmg from the compromised domain manyanshe[.]com.
The mounted DMG contains a malicious shell script masquerading as an application bundle:
This multi-stage payload leverages osascript to execute AppleScript commands that bypass macOS Gatekeeper protections by forcing execution through Terminal.
The script copies a binary named .DeepSeek to /tmp, clears extended attributes with xattr -c, and marks it executable via chmod +x.
Anti-Analysis and Evasion Techniques
Poseidon Stealer implements layered anti-debugging measures, a secondary check uses sysctl to inspect the P_TRACED flag in process status.
The malware terminates if usernames match common researcher aliases like “maria” or “jackiemac” through AppleScript validation.
Post-execution, it runs disown; pkill Terminal to detach from the parent process and remove forensic artifacts.
Data Exfiltration Mechanisms
Poseidon harvests:
- Chromium/Firefox credentials (cookies, passwords, credit cards)
- Cryptocurrency wallet data from 127 targeted extensions including MetaMask (nkbihfbeogaeaoehlefnkodbefgpgknn) and Coinbase Wallet (hnfanknocfeofbddgcijnmhnfnkdnaad)
- System keychain databases (/Library/Keychains/login.keychain-db)
- Documents matching *.txt, *.pdf, *.wallet extensions
According to the Report, A forged password dialog validates credentials before zipping stolen data. Exfiltration occurs via curl POST requests to the C2 at 82.115.223[.]9/contact.
Mitigation Strategies
eSentire’s TRU team recommends:
- Restricting osascript execution through MDM policies
- Implementing NGAV solutions to detect and contain threats
- User education on Terminal-based execution risks
This campaign demonstrates attackers’ growing sophistication in bypassing macOS security controls.
The combination of social engineering, multi-stage payloads, and extensive data harvesting capabilities positions Poseidon Stealer as a critical threat to organizational and individual macOS users alike.
eSentire confirms active containment of infections across multiple enterprise networks, with ongoing monitoring for related IoCs.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here