MacOS users face a new credential-stealing malware that hijacks Telegram sessions and targets cryptocurrency wallets, according to security firm SlowMist. The malware harvests login credentials to compromise active Telegram accounts, giving attackers direct access to users' contact lists and message histories. This opens a vector for follow-up phishing attacks and social engineering schemes against crypto holders.
The threat extends beyond session hijacking. Attackers leverage compromised Telegram accounts to distribute fake wallet applications that either decrypt stored cryptocurrency wallets or trick users into revealing recovery phrases through seemingly legitimate interfaces. This multi-stage approach combines credential theft with social engineering to maximize wallet compromise rates.
SlowMist identified the malware as spreading through infected applications distributed outside official channels. Users who download software from third-party sources or unverified repositories face the highest risk. The malware executes with minimal detection, operating quietly in the background while exfiltrating sensitive authentication tokens and wallet data.
The attack chain follows a familiar pattern in crypto-targeted malware. Initial compromise leads to credential harvesting, which enables account takeover. Attackers then use compromised accounts to distribute additional malicious payloads or phishing links to the victim's contacts. For crypto users specifically, the malware's wallet-targeting capability makes this particularly dangerous. Recovery phrases represent ultimate access to digital assets. Once obtained, attackers drain funds before victims notice the compromise.
MacOS users have historically faced fewer threats than Windows users, creating a false sense of security. This malware demonstrates that assumption no longer holds. Crypto holders on Apple's platform must adopt the same defensive posture as Windows users: verify application sources, use hardware wallets for significant holdings, and enable two-factor authentication on Telegram and other communication platforms.
SlowMist recommends immediate action for users who may have been exposed. Check Telegram's active sessions list for unfamiliar lo
