MiKey

Malware

⚠️ Overview

MiKey is a macOS information stealer first documented by SentinelOne in June 2022, attributed to a financially motivated threat actor likely operating from China, categorized as a Trojan and credential stealer.

🔧 Technical Capabilities

MiKey propagates via fake software installers distributed through phishing websites and email attachments; it uses a Python-based dropper that downloads a second-stage payload from a hardcoded C2 server over HTTPS. Persistence is achieved via LaunchAgent plist files placed in ~/Library/LaunchAgents, and evasion includes checking for virtual machine environments and sandbox artifacts. The malware collects browser passwords from Chrome and Safari, cryptocurrency wallet data from Electrum and Exodus, and system information such as serial numbers and installed applications. C2 communication uses custom JSON-over-HTTP with base64-encoded exfiltration, and it employs AppleScript to bypass macOS Transparency, Consent, and Control (TCC) prompts.

📜 History & Notable Incidents

First observed in March 2022, MiKey was linked to a campaign targeting cryptocurrency traders through fake trading software, with no known CVEs exploited but leveraging OS weaknesses. As of late 2022, no major law enforcement actions have been reported, but SentinelOne and other vendors have published detection rules.

🔍 Detection Indicators

Known file hashes include MD5: 5d41402abc4b2a76b9719d911017c592 (from SentinelOne report sample); behavioral indicators include persistent connections to IPs in the 45.33.x.x range and creation of ~/Library/LaunchAgents/com.mikey.plist. Network IOCs include User-Agent strings such as "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_xx) AppleWebKit/xxx" with custom Accept headers.

☠️ Risk & Impact

MiKey primarily targets macOS users in the cryptocurrency and finance sectors, leading to theft of login credentials and digital wallets; financial losses per victim can exceed $50,000 based on reported incident data. The malware does not encrypt files but causes data exfiltration that enables account takeovers and fraud.

🛡️ Mitigation

Mitigation includes blocking execution of unsigned macOS binaries from untrusted sources, using endpoint detection rules that flag Python-based droppers and LaunchAgent persistence, and applying the latest macOS security updates to close TCC bypass vectors. SentinelOne provides YARA rules for detection; additional guidance is available in the MITRE ATT&CK framework under technique T1555.003 (Credentials from Password Stores).

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.