A new sophisticated information-stealing malware, dubbed MonetaStealer, is actively targeting macOS users. Discovered on January 6, 2026, by security researchers at Iru, this threat masquerades as a legitimate Windows executable, potentially deceiving users into execution. The malware, identified initially as a Mach-O binary, has researchers concerned due to its increasing prevalence and its specific targeting of Apple devices. MonetaStealer poses a significant risk to macOS users, particularly those in professional sectors who frequently exchange files.
MonetaStealer is engineered to pilfer a wide array of sensitive data from infected macOS systems. This includes critical information such as stored browser passwords, cryptocurrency wallet details, Wi-Fi credentials, SSH keys, and financial documents. The malware contains code specifically designed to verify if the execution environment is macOS, indicated by the check if sys.platform != 'darwin'. This ensures it only functions on Apple’s operating system, highlighting a focused attack strategy.
A notable characteristic of MonetaStealer is its extensive use of code generated by machine learning tools. Researchers suggest this might indicate the malware is in its developmental stages. Despite its apparent early phase and the lack of obfuscation in some of its code, MonetaStealer exhibited a zero-detection rate on VirusTotal at the time of its discovery, rendering it invisible to many current security solutions. This lack of detection capability is a significant concern for cybersecurity professionals.
The primary payload of MonetaStealer was identified as portfolio_app.pyc, concealed within a binary compiled by PyInstaller. This Python-based malware embeds its malicious logic within a compressed CArchive structure, a technique that helps it bypass basic static file analysis tools. Decompilation of the embedded code revealed comments in Russian, suggesting the developer may prioritize functionality and rapid development over advanced stealth techniques. The malware proudly displays a banner during execution, stating “PROFESSIONAL MACOS STEALER v2.0,” further indicating its intent.
Chrome Browser Data Theft
MonetaStealer employs several methods to exfiltrate data, with a particular focus on Google Chrome browser information. It creates temporary copies of SQLite databases, a tactic used to circumvent file locking mechanisms that would normally prevent access to live data. To decrypt saved passwords, the malware executes the command security find-generic-password -w -a "Chrome" to retrieve the Base64 master key stored within the macOS Keychain.
This specific operation triggers a system prompt, requesting the user’s keychain password. While this prompt could alert observant users, if granted, the malware proceeds to query login credentials, session cookies, and browsing history using targeted SQL commands. The malware demonstrates a strategic approach to cookie theft by applying keyword filtering. It searches for terms such as “bank,” “crypto,” “exchange,” and “paypal” within the hostnames of stolen cookies. This allows MonetaStealer to prioritize sessions on high-value financial and cryptocurrency platforms.
The collected browsing history, including URLs, page titles, and visit frequencies, is also extracted from Chrome’s History database. This data provides attackers with insights into user interests, frequently accessed services, and potential avenues for further exploitation. All gathered browser data is organized within the malware’s internal storage dictionary before being exfiltrated through a Telegram bot. The identified Telegram bot infrastructure, “b746_mac_collector_bot” with bot ID 8384579537, serves as the command-and-control channel for data transmission.
The discovery of MonetaStealer underscores the evolving threat landscape for macOS users. The reliance on AI-generated code and sophisticated evasion techniques indicates a growing sophistication among malware developers targeting the Apple ecosystem. As researchers continue to analyze this threat, further details regarding its propagation methods and the full extent of its capabilities are expected to emerge, likely leading to updated detection signatures and protective measures from cybersecurity vendors.