MacOS Activator Malware: Cracked Apps Masking Crypto Wallet Theft

cryptojacking macos malware discovered by jamf threat labs

A new malware strain targeting macOS users, notably those using pirated software, has been identified. Dubbed ‘Activator’, this malware is adept at stealing information from cryptocurrency wallets.

Key Highlights:

  • The malware, named ‘Activator’, is concealed within cracked macOS apps.
  • It specifically targets users of macOS Ventura 13.6 and above.
  • The malware prompts users to enter system admin passwords, gaining elevated access.
  • Its method of contacting a command-and-control server is notably complex and ingenious.
  • ‘Activator’ targets Exodus and Bitcoin Core wallets, replacing them with infected versions.
  • The malware is part of a rising trend of using cracked software to compromise macOS systems.

cryptojacking macos malware discovered by jamf threat labs

Malware Mechanics and Deployment

‘Activator’ operates by embedding itself in booby-trapped disk image (DMG) files, often paired with a pirated version of a legitimate app like xScope. Users tricked into running the ‘Activator’ are prompted for their system administrator password, enabling the malware to execute with elevated privileges and deploy a modified version of the legitimate app​​​​.

The malware then establishes a connection with a command-and-control server to fetch an encrypted script. This is achieved through a sophisticated DNS request, retrieving Base64-encoded ciphertext fragments that assemble into a Python script. This script ensures persistence, continuously reaching out to a domain to download and execute the main payload​​​​.

Advanced Command-and-Control Communication

The malware’s sophistication is further revealed in its communication methods. By assembling a command-and-control URL from hard-coded lists and random letter sequences, it effectively masks its network traffic. The malware retrieves encrypted scripts via DNS TXT records, a method praised for its ingenuity and stealthiness by security researchers​​.

Crypto Wallets in the Crosshairs

The ultimate aim of ‘Activator’ is the theft of cryptocurrency. It detects and replaces Exodus and Bitcoin Core wallets with versions that relay sensitive information, such as seed phrases and passwords, back to the attackers. This strategy allows cybercriminals to access and drain victims’ cryptocurrency holdings

Protective Measures Against ‘Activator’

To safeguard against such threats, it’s crucial to adhere to best practices in digital security. Recommendations include:

  • Strictly downloading software from official and trusted sources like the Apple App Store.
  • Regularly updating macOS and other critical software to patch vulnerabilities.
  • Employing robust, unique passwords and considering the use of a password manager.
  • Implementing a reliable security solution that can detect and neutralize such threats​

Targeting Crypto Wallets

Once active, ‘Activator’ searches for Exodus and Bitcoin Core wallets on the infected device. If found, these applications are replaced with trojanized versions that send wallet details like the seed phrase and unlock password to a remote server controlled by the attackers. This tactic enables the theft of cryptocurrencies from unsuspecting victims​​​​.

Safety Recommendations

To protect against such threats, cybersecurity experts advise:

  • Only downloading apps from official stores like the Apple App Store.
  • Regularly updating the operating system and applications.
  • Using strong, unique passwords for different accounts.
  • Implementing trusted security solutions and following their recommendations​​.

The ‘Activator’ malware represents a significant threat to macOS users, particularly those engaging with cracked software. Its sophisticated method of operation and focus on cryptocurrency wallet theft highlights the evolving nature of cybersecurity threats. Users are advised to practice safe browsing habits, update their systems regularly, and use trusted sources for software downloads to mitigate such risks.


About the author


Jamie Davidson

Jamie Davidson is the Marketing Communications Manager for Vast Conference, a meeting solution providing HD-audio, video conferencing with screen sharing, and a mobile app to easily and reliably get work done."