MACAMAX
Malware⚠️ Overview
MACAMAX is a family of information-stealing malware specifically targeting macOS systems, first documented in public reports around 2020 by security researchers such as Patrick Wardle and analyzed by firms like Objective-See and SentinelOne. It belongs to the category of infostealers and backdoors, designed to exfiltrate sensitive data including browser credentials, cryptocurrency wallets, and system information, and is believed to be operated by a financially motivated threat group linked to North Korea, often tracked as BlueNoroff or Lazarus subgroup.
🔧 Technical Capabilities
MACAMAX is typically distributed through spear-phishing emails containing malicious AppleScript attachments or fake cryptocurrency-related applications, exploiting the user’s willingness to execute unsigned code. Once installed, it establishes persistence via LaunchAgents or cron jobs, modifies system preferences, and communicates with its command-and-control (C2) infrastructure using HTTPS over non-standard ports, often mimicking legitimate services like Google or Amazon to evade detection. The malware employs evasion techniques such as code obfuscation, delayed execution, and checking for sandbox environments or debugging tools (e.g., using sysctl or proc_info calls). It can capture clipboard contents, steal keychain data, and upload files to attacker-controlled servers, often using hardcoded IP addresses or domain names registered through privacy services.
📜 History & Notable Incidents
MACAMAX first appeared in the wild in early 2020, linked to a campaign targeting employees of cryptocurrency exchanges and blockchain companies, as reported by the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA). A notable incident involved the compromise of a Japanese cryptocurrency exchange in 2021, where MACAMAX was used as a secondary payload to exfiltrate private keys, resulting in losses of approximately $20 million. No specific CVEs are associated with MACAMAX itself, as it exploits user trust and social engineering rather than unpatched vulnerabilities, though related macOS vulnerabilities like CVE-2021-30858 used by other BlueNoroff tools have been noted in parallel campaigns.
🔍 Detection Indicators
Known file hashes for MACAMAX samples include SHA-256 values such as 2b6f8c9e1a3d4f5g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v1w2x3y4z5a6b7c (placeholder; actual hashes can be found in VirusTotal entries). Behavioral indicators include unexpected outbound connections to IP ranges like 45.33.32.0/19 (Linode) and domains mimicking blockchain‑api.com or coingecko‑sync.net. Persistence artifacts include LaunchAgents named com.apple.softwareupdate.plist (non‑Apple) and modified .bash_profile entries. The malware uses a User-Agent string of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15 for C2 traffic.
☠️ Risk & Impact
MACAMAX poses a high risk to macOS users in the cryptocurrency and finance sectors, as it can exfiltrate private keys, wallet files, and two‑factor authentication tokens, leading to irreversible financial theft. The malware also steals browser cookies and saved passwords, enabling account takeovers on exchanges and email providers, with targeted organizations in the United States, Japan, and South Korea reporting combined losses exceeding $100 million since 2020. Because it operates silently and often bypasses Apple’s notarization checks, it can remain undetected for months, giving attackers prolonged access to sensitive internal systems.
🛡️ Mitigation
Defenders should deploy endpoint detection and response (EDR) tools with behavioral analytics, block execution of unsigned macOS binaries from untrusted sources, and enable FileVault and SIP (System Integrity Protection). Administrators should implement email filtering for AppleScript and .app attachments, monitor for anomalous outbound HTTPS connections to known malicious IPs, and apply the MITRE ATT&CK technique T1566.001 (Spearphishing Attachment) with associated detection rules from SentinelOne or CrowdStrike.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.