A new strain of macOS malware is targeting cryptocurrency users by stealing Telegram session credentials and decrypting wallet files. The malware tricks victims into entering their wallet recovery phrases through fake applications, giving attackers full access to funds. Security researchers identified the campaign this week, warning that the threat combines credential theft with direct wallet compromise.
How the malware works
The malware first infects a Mac through a fake application — often disguised as a legitimate tool or update. Once installed, it scrapes saved credentials from the system, with a focus on Telegram session tokens. That access lets attackers hijack active Telegram accounts, bypassing two-factor authentication.
But the real damage is in the wallet. The malware can decrypt cryptocurrency wallets stored on the machine. It then prompts users to enter their recovery phrase through a spoofed interface, collecting the seed directly. Between the session hijack and the decrypted wallets, the attacker can drain funds and impersonate the victim on Telegram.
Fake apps as the entry point
Like many macOS threats, this one relies on social engineering. The fake applications are distributed through malicious websites, phishing links, or potentially compromised ad networks. The apps look convincing — they mimic real software names and icons.
Once launched, the malware runs silently in the background. It doesn't immediately trigger alerts because it uses legitimate macOS permissions to access the file system. The credential theft happens in seconds, and the wallet decryption can occur without the user noticing until it's too late.
What users should watch for
There’s no known patch for this particular strain yet, but the attack vector is familiar. Avoid downloading software from unverified sources. Double-check URLs before entering any recovery phrase. And if you’re on a Mac, treat any unexpected pop-up asking for your seed phrase as a red flag — no legitimate wallet app does that.
Telegram session hijacking is especially dangerous because it gives attackers access to group chats, contacts, and any linked services. Users can check active sessions in Telegram’s settings and revoke any that look suspicious. The broader crypto community is sharing indicators of compromise, though the malware continues to evolve.
For now, the safest move is to keep wallet software on a dedicated device or hardware wallet, and to never enter recovery phrases into any application that isn’t the official wallet itself.




