A new macOS stealer by MentalPositive has been identified targeting Ledger Live users in 2025, potentially representing a variant of the 2023 Atomic macOS Stealer (AMOS). This new malware exhibits similarities in credential and crypto wallet theft but uses different programming languages and introduces unique build IDs for campaign management. #MentalPositive #AMOS #LedgerLive
Keypoints
- The MentalPositive macOS stealer targets Ledger Live users and may be a new variant of the AMOS stealer from 2023.
- This malware uses Unix process-hollowing and demonization to evade debugging and terminate terminal processes for uninterrupted execution.
- It prompts users for administrator passwords and verifies them locally to gain elevated privileges before extracting data from keychain and password directories.
- The stealer collects stored credentials from browsers, cryptocurrency wallets, and extensions, consolidating data into compressed archives for exfiltration.
- Unique Build IDs such as JENYA, SHELLS, and BARNI help the attacker manage infection campaigns and update variants.
- Unlike AMOS, MentalPositive’s code is less obfuscated and mainly written in Objective-C and Swift, focusing on native macOS features.
- Both stealers use fake system windows to deceive users while exfiltrating data; however, MentalPositive’s variant may be in early development with room to evolve.
MITRE Techniques
- [T1055] Process Hollowing – The stealer “initiates execution by employing standard Unix process-hollowing techniques to detach itself from the controlling terminal and session manager.”
- [T1562] Impair Defenses – It “enumerates and forcibly terminates terminal-related processes using system calls like kill() to prevent user intervention.”
- [T1548] Abuse Elevation Control Mechanism – The malware “prompts the user to enter their administrator password, mimicking legitimate system behaviour to gain elevated privileges.”
- [T1003] Credential Dumping – It targets the “login.keychain-db file and the /password directory (if available)” to extract saved credentials.
- [T1074] Data Staged – The collected data is “consolidated and compressed into a single archive file named log.zip ready for exfiltration.”
- [T1071] Application Layer Protocol – It “sends an HTTP request containing a unique Build ID” to communicate with command and control servers.
- [T1204] User Execution – The stealer “prompts the user for administrator password” to gain access and execute payloads.
- [T1566] Phishing – AMOS originally spreads through “phishing, cracked apps, and fake software,” similarities possibly shared with the new stealer.
Indicators of Compromise
- [File Hashes] Detected Trojan hashes associated with the malware – F57D595D6CEE023B947AC32055012255, 45CC9ACA6F226130A05056EFABDA2DA8, and 36A5B365551B6596690EEBC94D86BA61.
- [Domains/URLs] Multiple URLs used by the malware for data exfiltration, differentiated by unique Build IDs: JENYA, SHELLS, and BARNI (specific URLs not listed in the article).
- [File Names] Key target files include login.keychain-db and password directories for data theft, and output files named information.txt and log.zip for storing stolen data.