Sun, 19 Jul
34°C

New Delhi

Partly Cloudy
Feels Like
38°C
Humidity
62%
Wind Speed
14 km/h
Visibility
8 km
UV Index
8 (Moderate)
Pressure
1008 hPa
Hourly Forecast
22:00
34°C
20%
23:00
34°C
25%
0:00
33°C
30%
1:00
33°C
35%
2:00
32°C
40%
3:00
32°C
45%
7-Day Forecast
Today
Partly Cloudy
26°C
35°C
Sat
Partly Cloudy
26°C
35°C
Sun
Partly Cloudy
26°C
35°C
Mon
Partly Cloudy
26°C
34°C
Tue
Partly Cloudy
27°C
34°C
Wed
Partly Cloudy
27°C
34°C
Thu
Partly Cloudy
27°C
33°C
Daily News Insights LogoDaily News Insights Logo
BREAKING
Daily News Insights: AI-Powered News Platform — Updated On DemandBreaking coverage from India and the world, synthesized by Gemini 1.5 FlashLive pipeline: Firecrawl extraction • Supabase storage • Upstash caching
Home/Tech

New macOS Infostealer Hijacks Telegram Sessions and Drains Cryptocurrency Wallets

DNI
Daily News Insights Editorial Desk
SUNDAY, 19 JULY 2026 AT 06:32 AM·4 MIN READ
New macOS Infostealer Hijacks Telegram Sessions and Drains Cryptocurrency Wallets
Unsplash
IMAGE: DAILY NEWS INSIGHTS / NEWS DATA LABS

DNI SUMMARY — KEY POINTS

  • Security researchers at SlowMist have uncovered a sophisticated macOS malware campaign that bypasses standard authentication by directly cloning active Telegram user session files.
  • The malicious software specifically targets various cryptocurrency assets by harvesting local wallet databases and decrypting them using passwords stolen from the macOS Keychain.
  • Attackers are deploying fake desktop applications that masquerade as legitimate software to trick users into compromising their hardware wallet security and recovery phrases.
  • Experts emphasize that the malware circumvents two-factor authentication barriers by mimicking a pre-authenticated environment rather than attempting to crack individual login credentials.
  • Impacted users are advised to immediately revoke all active Telegram sessions and migrate their digital funds to entirely new, clean hardware wallets.
IN-DEPTH ANALYSIS
TechFinanceScience

Cybersecurity experts at SlowMist have identified a dangerous new breed of macOS malware that represents a significant evolution in digital asset theft. By targeting the local architecture of infected machines, this threat actor effectively skips the need for traditional password cracking or SMS verification codes. Instead, the malware focuses on copying authenticated Telegram session files and local cryptocurrency wallet databases. This method allows hackers to reconstruct a victim's environment on a remote server, granting them persistent, unauthorized access to sensitive communications and financial tools without ever triggering standard security alerts on the primary device.

Exploiting Local Authenticated Sessions

The core mechanism of this attack relies on the exploitation of locally stored authentication data rather than attacking the cloud servers of messaging platforms. Once the malware achieves persistence on a target system, it systematically scrapes the host for a variety of high-value targets. This includes Apple Notes, browser cookies, and the macOS Keychain, which stores critical passwords. By aggregating these diverse data points, the attackers can successfully decrypt encrypted wallet files offline, effectively turning a user's own saved passwords against them in a seamless, automated process of data extraction.

A particularly concerning aspect of this campaign is the targeted replacement of legitimate cryptocurrency tools with malicious, look-alike applications. The malware identifies popular wallet software such as Ledger Live and Trezor Suite and replaces them with lightweight, deceptive wrappers built on the native WKWebView framework. These fake interfaces are designed to perfectly mimic the official user experience, but they function as a front for harvesting recovery phrases and private keys. Victims interacting with these fraudulent applications are often unaware that their assets are being drained in real-time.

The malware clones authenticated Telegram session files to bypass 2FA and login security without cracking passwords.

Sophisticated Deceptive Interface Tactics

The breadth of this campaign extends to at least sixteen different desktop cryptocurrency wallets, including notable names like Exodus, Atomic, and Electrum. Furthermore, the malware does not discriminate against power users, as it actively searches for full-node databases used by Bitcoin Core and Litecoin Core. This broad spectrum of targets indicates that the attackers possess a deep understanding of the cryptocurrency ecosystem. By compromising these specific applications, the threat actors ensure that they have access to the highest value targets within a victim's digital portfolio.

Beyond simple credential theft, the malware is engineered to facilitate a complete account takeover chain that extends well past initial entry. By exfiltrating browser data and Safari cookies alongside Telegram session tokens, the attackers can maintain a long-term foothold within a victim's professional and social network. This level of access is catastrophic for developers and crypto investors who utilize Telegram for sensitive business negotiations, over-the-counter trades, and project administration. The inability of existing 2FA systems to detect these session clones leaves even the most security-conscious users vulnerable.

Comprehensive Account Takeover Risks

Social engineering remains a primary vector for the initial infection, often involving sophisticated outreach via professional networking platforms. The threat actors utilize high-fidelity lures, such as fake job opportunities or teleconference invitations, to trick developers and executives into executing malicious files. Once the initial payload is delivered, the malware deploys various evasion techniques to hide its activities from standard system monitoring tools. These operations are often masked by professional-grade VPN services to obfuscate the connection paths back to the attacker's command and control servers.

Attackers use fake WKWebView applications to replace official hardware wallet software and steal recovery phrases.

Security analysts warn that the standard advice of simply rotating passwords is insufficient when dealing with this specific infostealer. Because the malware can extract seed phrases and private keys directly from decrypted local storage, a compromised wallet must be considered permanently insecure. Consequently, the only viable remediation path involves moving all digital assets to a new wallet generated on a completely clean, uncompromised device. Failure to perform a full migration leaves the user at risk of having their funds drained again, even if their account login credentials have been successfully updated.

Mandatory Security Migration Protocols

Ongoing investigations by security firms suggest that the perpetrators behind these campaigns are highly organized and financially motivated. The rapid pace at which these threats are evolving necessitates a proactive shift in how individual investors and organizations manage their digital security. As long as users continue to store sensitive authentication files and unencrypted wallet databases on their primary workstations, they remain lucrative targets for these persistent threat actors. Vigilance and the adoption of air-gapped storage for private keys are no longer optional for those operating in the crypto space.

KEY TAKEAWAYS

Data exfiltrated from the macOS Keychain allows hackers to decrypt local wallet databases offline.

SlowMist reports that the malware targets at least 16 different desktop cryptocurrency wallet applications simultaneously.

How do you feel about this story?

Share This Story

Choose a platform to share this article