New Variant Of Banshee macOS Malware Runs Active Campaigns

The notorious Banshee stealer has made a comeback with a more advanced malware variant that specifically targets macOS systems. Security researchers have recently detected this malware in active malicious campaigns, leveraging Apple’s XProtect security feature to evade detection.

New Variant of Banshee Malware Targets macOS Devices

A new malware campaign targeting Mac devices has been uncovered by researchers at Check Point Research. This campaign involves the distribution of a new variant of the well-known Banshee malware, which is notorious for its attacks on macOS systems.

The Banshee malware first emerged in 2024 as a “stealer-as-a-service” for targeting Apple Mac systems. However, after its source code was leaked online, the malware was rendered ineffective and eventually shut down.

Despite its shutdown, the leaked source code enabled other threat actors to create new threats based on the Banshee malware.

This new malware campaign has been operating covertly since September 2024. The latest variant of Banshee demonstrates advanced evasion capabilities to avoid detection. It utilizes string encryption techniques from Apple’s XProtect security feature to achieve this.

By leveraging this capability, the malware can avoid detection and continue stealing data while appearing as a legitimate operation to Mac security measures. The targeted data includes information stored in web browsers such as passwords, cryptocurrency wallets, IP addresses, system hardware details, and macOS passwords.

In addition, the new variant retains all the malicious functionalities of the original Banshee stealer, ensuring its credibility within the threat actor community.

Unlike its predecessor, the new Banshee variant targets a wider user base by including Russian systems in its scope.

The threat actors behind this campaign distribute the malware through deceptive GitHub repositories, camouflaged as legitimate software. According to Check Point Research, these attackers also target Windows systems using the same repositories to distribute the Lumma stealer.

The researchers have shared detailed information about this malware campaign in their publication.

As always, users can protect themselves from such threats by following safe online practices, such as downloading software from official sources, avoiding interactions with unsolicited emails and messages, and keeping their systems up to date with the latest security patches.

Share your thoughts in the comments section below.