Summary:


The Banshee infostealer, a sophisticated malware targeting macOS systems, has been leveraging a stolen Apple encryption algorithm to evade detection by antivirus solutions. Initially discovered in July, Banshee gained traction on Russian cybercrime marketplaces, where it was sold as a $1,500 "stealer-as-a-service." The malware is designed to harvest credentials from popular browsers such as Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex, and Opera. Additionally, it targets browser extensions associated with cryptocurrency wallets, including Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus. Beyond credentials, Banshee collects detailed system information, such as software and hardware specifications and even the password required to unlock devices.


Earlier versions of Banshee were easily identified by antivirus tools due to their plaintext packaging, leading to widespread detection. However, in late September, Check Point researchers observed a more advanced variant encrypted using the same algorithm employed by Apple’s XProtect antivirus tool. This algorithm, which protects XProtect’s YARA rules, was likely reverse-engineered by the malware’s author, known as "0xe1" or "kolosain," enabling them to conceal malicious strings effectively. This encryption breakthrough rendered the malware undetectable by nearly all antivirus engines on VirusTotal for months, a stark contrast to earlier variants that were flagged by most solutions.


Banshee’s distribution strategies have been diverse and effective. One cluster of campaigns relied on GitHub repositories that advertised cracked versions of popular software, such as Adobe programs and various image and video editing tools. In these cases, the malware was disguised under generic filenames. Another set of campaigns utilized phishing websites, which impersonated well-known applications. If a visitor accessed these sites using a macOS device, they were prompted to download the malware. Notably, similar campaigns targeting Windows users also spread Lumma Stealer, indicating a broader, multi-platform approach by cybercriminals.


Security Officer Comments:
On November 23, the situation escalated when Banshee’s source code was leaked on the Russian-language cybercrime forum "XSS." Following the leak, the malware’s developer shut down their stealer-as-a-service operation. While antivirus vendors quickly integrated new YARA rules to detect Banshee, the encrypted variant remained undetectable by most engines, prolonging its effectiveness. The leak has raised concerns about further exploitation of the malware, as its availability could lead to new and more aggressive campaigns.


Since late September, over 26 distinct campaigns involving Banshee have been documented. These incidents underscore the growing sophistication of macOS-targeted malware and the evolving strategies of cybercriminals.

Suggested Corrections:


IOCs:
https://research.checkpoint.com/2025/banshee-macos-stealer-that-stole-code-from-macos-xprotect/


Operating systems and applications must be updated with timely patches and other means to mitigate the risks of threats like Banshee Stealer. Individuals should exercise caution when dealing with unexpected emails or messages containing links, particularly from unknown senders. Enhancing cybersecurity awareness among employees is also crucial, as it fosters a vigilant workforce. Lastly, consulting security specialists for any uncertainties can provide valuable expertise and guidance in navigating potential security challenges.

Link(s):
https://www.darkreading.com/threat-intelligence/banshee-malware-steals-apple-encryption-macs