Sophisticated macOS Malware Hijacks Telegram Sessions to Drain Cryptocurrency Wallets
DNI SUMMARY — KEY POINTS
- Security researchers at SlowMist have uncovered a highly advanced multi-stage macOS malware campaign that specifically targets active Telegram sessions for account hijacking.
- The malicious software extracts local web3 wallet databases and browser credentials to gain unauthorized access to the digital assets of cryptocurrency users.
- Instead of attempting to crack two-factor authentication, the malware clones authorized session files, allowing attackers to impersonate victims without triggering standard security alerts.
- Experts emphasize that this campaign utilizes social engineering and decoy applications to manipulate users into granting administrative access to their operating systems.
- The ongoing threat highlights a significant shift in criminal tactics as hackers increasingly prioritize session token theft over traditional password-based brute force attacks.
A sophisticated new malware campaign targeting macOS users has emerged, posing a severe threat to the cryptocurrency community by stealthily hijacking active messaging sessions and draining private digital wallets. Researchers at SlowMist have identified that the threat actors are bypassing standard security protocols by cloning local session files rather than attempting to brute-force passwords or circumvent two-factor authentication. This method allows attackers to reconstruct a victim's exact digital environment on a secondary machine, granting them immediate, invisible access to entire chat histories and associated sensitive financial data.
Technical Mechanics of the Attack
Technical Mechanics of the Attack
The malware functions by meticulously scanning the host file system to locate critical session configurations utilized by both Telegram Desktop and Telegram for macOS. Once these files are identified, they are exfiltrated to a command-and-control server, enabling the hackers to mirror the user profile perfectly. By utilizing these established sessions, the perpetrators successfully circumvent the phone number prompts and verification codes that typically protect accounts, rendering traditional security layers ineffective against this specific form of session-based infiltration and unauthorized access.
The malware clones authenticated session files to bypass two-factor authentication by appearing as a legitimate, already-verified device.
The Evolution of Phishing Tactics
Beyond simple messaging theft, the campaign aggressively scrapes local systems for comprehensive data layers, including browser credentials, active Safari cookies, and Keychain profiles. The malware is specifically engineered to aggregate information from Apple Notes—where many users inadvertently store plain-text passwords—to unlock local software wallets offline. By pairing these stolen system credentials with encrypted wallet databases, the attackers can autonomously decrypt and empty digital asset repositories without requiring any further interaction with the victim's live device or platform.
The Evolution of Phishing Tactics
Widespread Risks for Web3 Users
After securing deep administrative access to the victim’s machine, the malware transitions into a sophisticated phase of active social engineering by deploying deceptive software updates. These fake applications are meticulously disguised as official updates for popular hardware wallets like Ledger or Trezor, effectively luring users into a false sense of security. These malicious wrappers operate using the native WKWebView framework, ensuring that the interface appears legitimate while simultaneously siphoning transaction authorization data or private keys directly to the attacker’s infrastructure.
Attackers specifically target roughly 300 different cryptocurrency wallet extensions and local desktop wallet databases stored on infected systems.
The delivery mechanisms for this malware are increasingly diverse, often masquerading as professional job interview platforms or fake software download portals. Victims are frequently directed to execute bash commands or open disk images that initiate the infection sequence under the guise of security verification. Once the initial payload is executed, the malware leverages legitimate system tools to maintain persistence, effectively operating within the boundaries of user-trusted applications to evade detection by standard behavioral analysis tools or signature-based antivirus solutions.
Mitigation Strategies and Outlook
Widespread Risks for Web3 Users
The targeting of cryptocurrency traders, blockchain developers, and investors highlights the growing intersection between communication platforms and asset management. Because Telegram serves as a primary hub for decentralized finance operations and project administration, a single compromised session can lead to catastrophic financial losses or the distribution of malicious links to wider trusted communities. The ease with which attackers can now impersonate legitimate users within these networks creates systemic operational risks that extend far beyond the individual device level.
Industry-wide security experts are urging users to remain vigilant against unexpected requests to run terminal commands or download third-party software from unfamiliar sources. While Apple continues to refine its built-in security protections, the reliance on social engineering—tricking the user into granting permissions—remains a persistent challenge that software-based defenses alone cannot solve. Protecting digital assets in the current landscape requires a combination of hardware security, rigorous verification of software origins, and a healthy skepticism toward unsolicited professional or technical requests.
Mitigation Strategies and Outlook
Securing your digital environment against such threats requires a proactive approach, including the regular clearing of session tokens and the use of dedicated, hardened devices for sensitive financial transactions. Because the current malware strain successfully mirrors existing sessions, users should frequently monitor their active login lists and immediately revoke any unrecognized access entries found within their messaging settings. As threat actors like JINX-0164 and other groups continue to refine their tradecraft, the battle between cybersecurity researchers and digital infiltrators will inevitably escalate in both frequency and complexity.
KEY TAKEAWAYS
The malware is designed to remove legitimate hardware wallet applications and replace them with trojanized versions that steal user assets.
The campaign utilizes sophisticated social engineering lures, such as fake job interview platforms and teleconference tools, to trick victims into executing malicious code.

