New Banshee Stealer Variant Bypasses Antivirus with Apple’s XProtect-Inspired Encryption
Latest News on Banshee Stealer macOS Malware
As of January 2025, significant developments have been reported regarding the Banshee Stealer malware, a sophisticated macOS-focused information-stealing malware.
Resurgence and New Variant
Banshee Stealer, which was first documented in August 2024 by Elastic Security Labs, has resurfaced with a new, more stealthy variant. Despite its source code leaking online in late November 2024, which led to a temporary shutdown of its operations, the malware is once again being distributed through various phishing campaigns14.
Advanced Encryption and Evasion Techniques
The new variant of Banshee Stealer incorporates advanced string encryption inspired by Apple's XProtect antivirus engine. This encryption allows the malware to bypass antivirus systems, posing a significant risk to over 100 million macOS users globally. The use of XProtect encryption is a notable update, as it obfuscates the plaintext strings used in the original version of the malware, making it harder to detect1.
Distribution Methods
The malware is distributed via phishing websites and fake GitHub repositories, disguising itself as popular software such as Google Chrome, Telegram, and TradingView. This social engineering tactic exploits common human vulnerabilities rather than platform-specific flaws, highlighting the evolving nature of cyber threats1.
Target Expansion
The new variant has removed a Russian language check that was previously used to prevent infections of Macs with Russian set as the default system language. This change suggests that the threat actors are now targeting a broader range of potential victims1.
Malware-as-a-Service (MaaS) Model
Banshee Stealer is offered under a MaaS model, available to other cybercriminals for $3,000 per month. It is capable of harvesting data from web browsers, cryptocurrency wallets, and files matching specific extensions. Despite the source code leak, multiple campaigns are still distributing the malware, although it is unclear if these are carried out by previous customers1.
Impact and Recommendations
Given the advanced evasion techniques and widespread distribution, macOS users are advised to be cautious of unsolicited messages and fake software updates. Cybersecurity researchers emphasize the importance of staying vigilant against social engineering attacks and ensuring that all software is downloaded from trusted sources1.
For the latest updates and mitigation strategies, users and organizations should monitor cybersecurity advisories and ensure their antivirus systems are updated to detect the new variant of Banshee Stealer.
