Since September, Check Point Research has been monitoring a new version of the Banshee macOS stealer, a malware linked to Russian-speaking cyber criminals targeting macOS users.
This new version had been undetected for over two months until the original version of Banshee Stealer was leaked on XSS forums, which resembled similarities with the malware’s core functionality.
One notable difference between the leaked source code and the version discovered by Check Point Research is the use of a string encryption algorithm. This algorithm is the same as Apple uses in its Xprotect antivirus engine for MacOS.
One method of distributing Banshee Stealer involved malicious GitHub repositories, targeting Windows users with Lumma Stealer and macOS users with Banshee Stealer.
Banshee operated as a ‘stealer-as-a-service’, priced at $3,000, and was advertised through Telegram and forums such as XSS and Exploit. On November 23, 2024, the malware’s source code was leaked, leading the author to shut down the operations the following day.
Despite shutting down the operation, threat actors continue to distribute the new version of Banshee via phishing websites.

Multiple information stealers for the macOS platform have demonstrated the capability to evade detection even when security companies follow and report about new variants frequently.

Apple released its first update to its new behavioural security protection in XProtect Behaviour Service on 8 August, and again on 1 September. Here are the details.

macOS may alert you when you’re trying to open or run a file, with an alert informing you that malware was detected. But what about in scans?

MRT’s days appear numbered. On 14 March this year, Apple released its successor – a new version of XProtect, which now does the lot.