Infostealers targeting macOS continue to evolve at a rapid pace, making their monitoring increasingly critical. Recently, the source code of the infostealer Banshee, written in Objective-C, was leaked online, providing researchers with an opportunity to scrutinize its inner workings. This analysis subsequently led to the discovery of a potential successor—an advanced variant rewritten in Rust.
On January 15, 2025, researchers at Kandji identified a new infostealer sample on VirusTotal. The malware exhibits behavior closely resembling Banshee, focusing on exfiltrating data from web browsers, cryptocurrency wallets, and browser extensions. However, unlike its predecessor, this variant transmits files to a local host, suggesting it may still be in the testing phase or early development.
A thorough code analysis revealed striking similarities between the two infostealers. One of the earliest indicators was the reuse of function names between the Rust-based malware and the leaked Banshee source code. While Rust’s compiler appends unique identifiers to function names, their removal allowed researchers to observe a substantial overlap. Notably, the mac_os_stealer::main() function in the new infostealer employs an argument-passing mechanism identical to the one used in the original Banshee.
Further evidence of its lineage emerged in the form of the killall Terminal command, which was also present in the leaked Objective-C code. This command forcefully terminates the macOS terminal, likely as a means of concealing malicious activity. Additionally, the new infostealer implements a virtual machine detection mechanism, relying on the command:
b”system_profiler SPHardwareDataType | grep ‘Model Identifier'”
If the output contains the string “Virtual”, the program responds in the same manner as Banshee, reinforcing the connection between the two.
Another notable feature is the use of the sysctl() function to detect active debugging processes—a common technique among infostealers that helps evade security analysis.
During their investigation, researchers found that the infostealer systematically gathers system information by executing multiple commands to determine the macOS version, hardware specifications, and available RAM. The malware then creates a temporary directory and invokes the send_data() function, preparing the harvested data for transmission. Within this function, traces of encryption were also identified, suggesting that stolen information undergoes some form of obfuscation before being sent.
Interestingly, this infostealer is configured to transmit data to 127.0.0.1:3030, reinforcing the theory that it is still undergoing testing. This approach is commonly observed in the early development stages of malicious software before a fully operational command-and-control (C2) infrastructure is deployed.
Further analysis confirmed that the malware is designed to extract data from major browsers, including Chrome, Firefox, Microsoft Edge, and Yandex. The code also contains identifiers for cryptocurrency wallet extensions, which were found to be an exact match with those in the leaked Banshee code.
After exfiltrating user data, the malware systematically categorizes and stores the stolen information—browser data is saved in a directory labeled “Browsers”, while cryptocurrency wallet credentials are placed in a “Wallets” folder. These files are likely intended for later transmission to an external server.
Based on the available evidence, researchers strongly believe that the new Rust-based infostealer is an evolved adaptation of Banshee. The exposure of such threats underscores the necessity for continuous malware monitoring and analysis. As cybercriminals refine their tactics and adapt to evolving security measures, defensive strategies must advance at an equally aggressive pace.
