Since September, Check Point Research has been monitoring a new version of the Banshee macOS stealer, a malware linked to Russian-speaking cyber criminals targeting macOS users.
This new version had been undetected for over two months until the original version of Banshee Stealer was leaked on XSS forums, which resembled similarities with the malware’s core functionality.
One notable difference between the leaked source code and the version discovered by Check Point Research is the use of a string encryption algorithm. This algorithm is the same as Apple uses in its Xprotect antivirus engine for MacOS.
One method of distributing Banshee Stealer involved malicious GitHub repositories, targeting Windows users with Lumma Stealer and macOS users with Banshee Stealer.
Banshee operated as a ‘stealer-as-a-service’, priced at $3,000, and was advertised through Telegram and forums such as XSS and Exploit. On November 23, 2024, the malware’s source code was leaked, leading the author to shut down the operations the following day.
Despite shutting down the operation, threat actors continue to distribute the new version of Banshee via phishing websites.
Executive Summary: Since September, Check Point Research (CPR) has been monitoring a new version of the Banshee macOS Stealer, a malware that steals
The Banshee Stealer macOS malware operation, which emerged earlier this year, was reportedly shut down following a source code leak.
The BANSHEE malware is a macOS-based infostealer that targets system information, browser data, and cryptocurrency wallets.
Within Rapid7 Labs we continually track and monitor threat groups. As part of this process, we routinely identify evolving tactics from threat groups in what is an unceasing game of cat and mouse.
