A new variant of Banshee Stealer has resurfaced with advanced evasion tactics, targeting macOS users. Originally thought to be dormant after its source code leaked in late 2024, this variant now incorporates encryption techniques derived from Apple’s XProtect. This modification allows the malware to obfuscate its strings, bypassing antivirus systems and increasing its chances of successful infections. Check Point Research, who uncovered this development, noted that the malware now poses a significant risk to over 100 million macOS users globally.
The Banshee Stealer variant is being distributed through phishing websites and fake GitHub repositories, which are designed to appear as legitimate software like Google Chrome, Telegram, and TradingView. These deceptive tactics are meant to lure unsuspecting users into downloading the malware, which then steals sensitive data. This includes information from web browsers, cryptocurrency wallets, and files with specific extensions. The malware is being offered under a malware-as-a-service (MaaS) model, making it accessible to other cybercriminals for $3,000 per month.
Despite the initial setback caused by the leak of its source code in November 2024, the Banshee Stealer campaign has continued. Check Point Research reported detecting ongoing campaigns still distributing the malware, though it remains unclear whether these campaigns are being run by the original threat actors or their customers. The same campaigns are targeting both macOS and Windows users, with Banshee Stealer targeting the former and Lumma Stealer attacking the latter. This suggests a wide-reaching effort to compromise as many systems as possible.
A notable change in the new variant is the removal of a language check that previously blocked infections on Macs with Russian as the default system language. This adjustment hints that the threat actors may be expanding their target base. The malware’s use of advanced techniques, such as the string encryption inspired by Apple’s XProtect, showcases the growing sophistication of modern malware campaigns. These developments indicate that macOS, like all operating systems, remains vulnerable to these evolving cyber threats.
