Threat Research

Analyzing the MonetaStealer macOS Threat

Kandji.io
Analyzing the MonetaStealer macOS Threat

Iru researchers uncovered a Mach-O binary named Portfolio_Review.exe that masquerades as a Windows .exe and contains a PyInstaller CArchive bundling a portfolio_app.pyc payload researchers named MonetaStealer. MonetaStealer—still in early development and relying heavily on AI code—targets Chrome credentials/cookies/history, crypto wallets, macOS Keychain and Wi‑Fi credentials, stages data to STOLEN{sessionID}.zip and uses api.telegram.org for reporting while remaining undetected on VirusTotal. #MonetaStealer #Iru

Keypoints

  • Researchers at Iru discovered an unsigned Mach-O binary (Portfolio_Review.exe) that deceptively uses a .exe extension and embeds a compressed PyInstaller CArchive containing portfolio_app.pyc, the MonetaStealer payload.
  • MonetaStealer is in early development, shows no obfuscation in the .pyc, lacks anti-analysis and persistence mechanisms, and maintains a zero-detection rate on VirusTotal at time of writing.
  • The stealer targets Chrome data (passwords, cookies, history) by copying temporary SQLite databases and using macOS keychain queries to obtain Chrome’s Base64 master key, with keyword filtering to prioritize financial and crypto-related cookies.
  • MonetaStealer hunts for crypto wallets and sensitive files across common user paths (~Library/Application Support, ~/.config, ~/Documents, ~/Desktop, ~/Downloads), using regexes to locate seed phrases, private keys, and card-like patterns.
  • The malware collects Wi‑Fi SSIDs and prompts for keychain passwords via networksetup and security commands, scrapes clipboard content with pbpaste, and stages collected items into STOLEN{sessionID}.zip on the Desktop for exfiltration to a Telegram bot via api.telegram.org.
  • A Windows-targeting variant and Windows-related code skeleton were found but contained dead logic; the overall campaign indicates continued dominance of macOS stealers and monetizable data-exfiltration tactics in 2026.

MITRE Techniques

  • [T1036 ] Masquerading – The binary uses a deceptive filename/extension to appear benign on macOS and evade user suspicion ( ‘Portfolio_Review.exe is an unsigned Mach-O binary that uses a deceptive .exe extension to mislead macOS users.’ )
  • [T1059.006 ] Command and Scripting Interpreter: Python – The malware is a PyInstaller-compiled Python payload that executes .pyc modules to perform theft ( ‘MonetaStealer embeds its malicious logic within a compressed PyInstaller CArchive appended to the binary.’ )
  • [T1027 ] Obfuscated Files or Information – The CArchive and compressed .pyc files remain bundled until execution to bypass static scanners ( ‘the .pyc files remain bundled and compressed until execution, they bypass basic static file scanners that only inspect the surface-level Mach-O structure.’ )
  • [T1555.003 ] Credentials from Web Browsers – MonetaStealer extracts Chrome passwords, cookies, and history, including obtaining Chrome’s Base64 master key via keychain commands ( ‘security find-generic-password’ to steal Chrome’s Base64 master key for password decryption )
  • [T1552.001 ] Credentials in Files – The stealer searches local directories and applies regex patterns to find wallet seed phrases and private keys in files ( ‘Seed Patterns: seed[s:=”’]+([a-zs]{20,}) … Key Patterns: [5KL][1-9A-HJ-NP-Za-km-z]{50,} … [a-fA-F0-9]{64}’ )
  • [T1056.001 ] Input Capture: Clipboard – The malware captures clipboard contents by invoking the native pbpaste utility and records up to the first 5,000 characters ( ‘executes the native pbpaste utility to scrape sensitive data directly from the macOS system clipboard.’ )
  • [T1005 ] Data from Local System – MonetaStealer crawls directories (~Library/Application Support, ~/.config, ~/Documents, ~/Desktop, ~/Downloads) and reads files (.pdf, .txt, .doc, .xls, .xlsx) to collect targeted document content and artifacts ( ‘crawls within the directories ~/Documents, ~/Downloads,~/Desktop, and reads the contents of files ending with .pdf, .txt, .doc, .xls, and .xlsx’ )
  • [T1041 ] Exfiltration Over C2 Channel – Collected data is staged into a zip on the Desktop and reporting/exfiltration is performed via the Telegram API endpoint ( ‘relies on api.telegram.org for exfiltration.’ )

Indicators of Compromise

  • [File Hash ] Mach-O binaries and payloads – 4885adc9de7e91b74a3ac01187775459acf3e4e026ee2fa776b3419cf8dbaf00, 1a5027adf99076470444c5ffdd83a4313ab1d21827700699d0ee6ab1337beb70, and 2 more hashes
  • [File Name ] Malicious binary and payload – Portfolio_Review.exe (Mach-O dropper), portfolio_app.pyc (main MonetaStealer payload)
  • [Domain / API Endpoint ] Exfiltration/reporting endpoint – api.telegram.org (used to send short POST reports to a Telegram bot)
  • [Telegram Bot ] Command-and-control reporting infrastructure – id: 8384579537, username: b746_mac_collector_bot (bot observed in POST responses)
  • [Extension ID ] Hardcoded browser extension identifier – nkbihfbeogaeaoehlefnkodbefgpgknn (Metamask extension ID targeted by the cryptostealing module)
  • [macOS Commands ] System commands executed for credential and host discovery – ‘security find-generic-password -w -a “Chrome”‘, ‘networksetup -listpreferredwirelessnetworks en0’ (used for keychain queries and SSID enumeration)
  • [File Paths ] Local search paths targeted for wallet and document discovery – ~/Library/Application Support, ~/.config, ~/Documents, ~/Desktop, ~/Downloads

Read more: https://the-sequence.com/monetastealer-threat