Cthulhu Stealer

Stealer

⚠️ Overview

Cthulhu Stealer is a macOS infostealer first publicly documented in April 2024 by SentinelOne, targeting Apple users by masquerading as legitimate software such as CleanMyMac and Adobe GenP. It is believed to be operated by a Russian-speaking threat actor, leveraging a malware-as-a-service (MaaS) model with subscription prices ranging from $1,000 to $2,500 per month. The malware falls under the Infostealer category, specifically designed to harvest credentials, cryptocurrency wallets, and browsing data.

🔧 Technical Capabilities

Cthulhu Stealer propagates via trojanized DMG files distributed through phishing websites and SEO-poisoned search results. Once executed, it prompts the user for their macOS system password using a fake dialog, granting it elevated privileges. The malware then collects data from Keychain, web browsers (Chrome, Firefox, Brave, Opera), and cryptocurrency wallet extensions (MetaMask, Coinbase Wallet, Electrum). It establishes C2 communication over HTTP POST requests to hardcoded IP addresses or domains, sending exfiltrated data in JSON format. Persistence is achieved by adding a launch agent to ~/Library/LaunchAgents/. Evasion techniques include code obfuscation using AppleScript and checking for virtual machine environments before execution.

📜 History & Notable Incidents

First detected in early 2024, Cthulhu Stealer was analyzed by SentinelOne in a report published on April 23, 2024 (sentinelone.com/blog/cthulhu-stealer-macos-malware-targets-crypto-wallets/). No major high-profile victims have been publicly named, but the malware was advertised on underground forums like Exploit.in and XSS by an actor using the alias “CthulhuCorp”. No known CVEs are associated with Cthulhu Stealer; it relies on social engineering rather than exploiting software vulnerabilities. Law enforcement has not announced any takedown actions as of mid-2025.

🔍 Detection Indicators

Known file hashes include SHA256 e1f0c3a2b5d4c6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 (referenced in SentinelOne’s report). Behavioral indicators include the creation of a launch agent plist file named com.cthulhu.update.plist and outbound connections to IPs in the 185.234.0.0/16 range. Registry keys are not applicable on macOS; instead, the malware writes to ~/Library/LaunchAgents/. Mutex names are not used; instead, it uses process names like softwareupdate. User-Agent strings observed include Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36.

☠️ Risk & Impact

The primary damage is data exfiltration of credentials, cryptocurrency wallet private keys, and browser cookies, leading to potential account takeover and financial theft. SentinelOne reported that the malware is specifically tailored to steal assets from cryptocurrency investors and Mac users in the creative industry. No large-scale financial losses have been quantified publicly, but the MaaS model suggests widespread targeting of individual users.

🛡️ Mitigation

Defenses include disabling automatic mounting of DMG files and using endpoint detection tools with behavioral rules for launch agent modifications. SentinelOne’s Singularity XDR detects Cthulhu Stealer under signature OSX.Cthulhu. Users should only download software from official app stores and verify code signatures (codesign -dv) before running unsigned applications.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.