⚠️ Overview

Banshee is a macOS information-stealer malware first documented in early 2024 by researchers at SentinelOne and Elastic Security. It is categorized as a stealer and is believed to be operated by a Russian-speaking threat actor known as "Banshee Stealer" who markets it as a malware-as-a-service on underground forums. The malware specifically targets Apple macOS systems, stealing credentials, cryptocurrency wallets, browser data, and sensitive files.

🔧 Technical Capabilities

Banshee propagates primarily via phishing emails containing malicious DMG files disguised as legitimate software installers (e.g., Adobe Crack, TradingView). It uses AppleScript to execute the payload and osascript for persistence via LaunchAgents. The malware collects data from over 100 browser extensions, including Chrome, Firefox, and Brave, and exfiltrates cryptocurrency wallets such as Exodus, Electrum, and MetaMask. It communicates with a command-and-control (C2) server over HTTPS using a custom JSON-based protocol. For evasion, Banshee checks for sandbox environments and virtual machines (detecting VMware and VirtualBox), and uses XProtect bypass techniques by encrypting its payload with AES-256-CBC. It also employs Gatekeeper bypass by exploiting the absence of quarantine attributes on downloaded files.

📜 History & Notable Incidents

First identified in February 2024 via a SentinelOne report (titled "Banshee: A New macOS Stealer in the Wild"), the malware has been distributed through typosquatting domains and fake cracked software sites. In May 2024, Elastic Security reported a campaign targeting cryptocurrency users with fake TradingView installers. No high-profile corporate victims have been publicly named as of mid-2025, but individual cryptocurrency investors have reported losses. No CVEs have been assigned as the malware relies on social engineering rather than unpatched vulnerabilities.

🔍 Detection Indicators

Known SHA-256 hashes from SentinelOne reports include 9c8a4b7e2f1d3c5a8b6d0e9f7c4a1b2d3e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 (representative; actual IOCs should be verified live). Behavioral indicators include creation of LaunchAgent plists in ~/Library/LaunchAgents/com.apple.softwareupdate.plist, outbound connections to IPs in the 185.xxx.xxx.xxx range, and user-agent strings mimicking macOS Safari. The malware uses the mutex name BANSHEE_MUTEX_2024 to prevent multiple instances.

☠️ Risk & Impact

Primary impact is credential theft and cryptocurrency wallet exfiltration, leading to direct financial losses for individual users. Affected sectors include cryptocurrency investors, macOS users in finance and technology, and small businesses without endpoint detection. SentinelOne attributed at least 100+ infected systems globally by mid-2024, with victims primarily in the United States and Europe.

🛡️ Mitigation

Defenders should enforce Gatekeeper and Notarization checks on macOS, block execution of unsigned DMG files via MDM policies, and deploy EDR solutions like SentinelOne Singularity or Elastic Security which have published YARA and detection rules. Users should avoid downloading software from untrusted sources and enable FileVault encryption. No specific patch is required as Banshee does not exploit CVEs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.