A newly discovered variant of the Banshee macOS Stealer malware is putting 100 million Apple users at risk by exploiting Apple’s own security tools to avoid detection. The malware, which targets credentials, cryptocurrency wallets, and other personal data, has been described by security researchers as a significant threat to macOS users.
Check Point Research first detected the original Banshee malware in mid-2024, a malware-as-a-service targeting macOS devices. The latest strain, which remained undetected for over two months, uses a string encryption algorithm lifted directly from Apple’s XProtect antivirus system. Since antivirus programs expect to see this type of encryption from Apple’s legitimate security tools, they didn’t flag the malware as suspicious.
The malware’s source code leaked on underground forums in late 2024, leading to new variants developed by other cybercriminals. Check Point researchers have since tracked multiple campaigns distributing Banshee through phishing websites and fake GitHub repositories posing as popular software like Chrome or Telegram. Some campaigns targeted both Mac and Windows users, with Windows devices being hit by another malware called Lumma Stealer.
The Banshee malware can steal browser credentials, cryptocurrency wallet details, user passwords, and sensitive file data by tricking users into entering their macOS passwords via fake system prompts. “This stealthy malware doesn’t just infiltrate; it operates undetected, blending seamlessly with normal system processes,” said Check Point researchers.
Experts warn that no operating system is immune to threats. Users should be cautious about what they download and consider pairing Apple’s built-in XProtect antivirus with additional antivirus software to protect their devices from increasingly sophisticated malware.