Security researchers at SlowMist have discovered a new piece of malware for macOS designed to steal data from Telegram users and cryptocurrency holders. In addition to credentials, it also collects data related to crypto wallets, which attackers can use in the later stages of an attack.
According to SlowMist, the malware copies internal files from Telegram Desktop and Telegram for macOS that contain active session data. Using these files, attackers can restore that session on another device without logging in again.
The researchers also note that some locally stored chat history may remain accessible even after Telegram applies server-side security measures.
In addition to Telegram, the malware extracts passwords from the macOS Keychain, web browsers, and the Notes app. Combined with crypto wallet files, this information allows attackers to attempt to decrypt wallet databases offline.
For Ledger and Trezor owners, the malware uses a different attack method: it replaces the hardware wallet interface and then redirects users to phishing pages designed to steal their seed phrases.
Social Engineering Remains the Main Attack Vector
According to SlowMist, the malware is distributed through social engineering techniques. The primary targets are macOS users who rely on Telegram for work and store crypto wallets on their computers.
The researchers recommend enabling a passcode in Telegram and avoiding storing highly sensitive information in the macOS Keychain and the Notes app.
