SlowMist has uncovered a macOS information stealer that can seize authenticated Telegram sessions, copy crypto wallet databases and replace legitimate wallet applications with attacker-contro
SlowMist has uncovered a macOS information stealer that can seize authenticated Telegram sessions, copy crypto wallet databases and replace legitimate wallet applications with attacker-controlled phishing software.
The campaign begins with a fake community application hosted through Google Sites. Victims are directed to download an AppleScript file or run a Terminal command disguised as a security-verification step. The payload then displays a phony “Google API Connector” update prompt requesting administrator access.
The malware does not accept any password entered into the prompt. It checks the credential against the Mac and continues only after confirming a valid system password. It also copies Apple Keychain data, browser passwords, cookies, Chrome Safe Storage material and Apple Notes content.
The delivery method mirrors fake crypto interview campaigns that push targets to install unknown applications or execute commands on machines holding wallets and account credentials.
Telegram Sessions Restore Without New Verification
The malware targets local session files used by Telegram Desktop and Telegram for macOS. SlowMist restored the stolen files on another Mac and gained immediate access to the test account without entering a phone number, SMS code or Telegram two-step verification password.
The process does not crack Telegram’s two-factor authentication. It reuses a session that the service has already authorized, preventing the normal login checks from being triggered again. The copied session may also fail to appear as a clearly identifiable new device, making the takeover harder to spot through Telegram’s active-session list.
Wallet collection spans 16 desktop applications, including Electrum, Exodus, Atomic Wallet, Wasabi, Sparrow, Bitcoin Core, Monero, Ledger Live and Trezor Suite. The malware also carries a list of 223 wallet-extension IDs and collects their local storage, browser authentication data and account configurations.
Encrypted wallet databases are paired with passwords taken from the operating system, browsers and Notes. SlowMist successfully decrypted an Atomic Wallet database in a controlled test after one of the stolen candidate passwords matched the wallet.
Malware Replaces Ledger and Trezor Apps
The payload removes legitimate installations of Ledger Live, Ledger Wallet and Trezor Suite before placing lookalike applications inside the Mac’s Applications folder.
Those replacements contain no hardware-wallet or transaction-signing functionality. They open attacker-controlled web pages behind the original names and icons, allowing fake recovery or verification screens to request a seed phrase.
The method resembles the fake Ledger app that drained nearly 6 BTC after its victim entered a recovery phrase into counterfeit software.
Anyone who ran the malicious script should disconnect the Mac, terminate every Telegram session from a trusted device and rotate passwords stored in browsers, Keychain or Notes. Wallets whose databases or recovery material may have been exposed should be abandoned after remaining assets are transferred to fresh addresses created on clean hardware.
The post SlowMist Finds macOS Malware Hijacking Telegram Sessions and Crypto Wallets appeared first on Crypto Adventure.