The research team at Kandji has identified a potentially malicious loader targeting macOS, which was uploaded to VirusTotal on January 10, 2025. This malware, dubbed Purrglar, is designed to capture files associated with the Chrome browser and the Exodus cryptocurrency wallet. A distinctive feature of this application is its use of the API Security Framework to access the macOS Keychain.
Experts believe that the program is still in its development phase, as data is transmitted to a local host rather than a remote server. Nevertheless, the team’s analysis suggests that the loader has the potential to be weaponized for data theft, warranting heightened scrutiny.
Purrglar collects system information, including the device’s serial number, by executing the system_profiler command. These details, combined with a timestamp, form the URL used to transmit files to a local server. Targeted files include cookies, passwords, and account credentials from Chrome, as well as sensitive data from the Exodus cryptocurrency wallet.
When attempting to access the Keychain, the program issues a system prompt requesting user authorization, employing methods recommended by Apple. If the user grants permission, the application gains access to keys linked to Chrome and transmits them, alongside other data, to the server. Should the request be denied, an error message appears, urging the user to enter their password.
The uploaded files include Chrome cookies and login credentials, along with data from the directory ~/Library/Application Support/Exodus/exodus.wallet. File transfers are executed via the Curl API, utilizing MIME objects to send data in a multipart/form-data format. Each file is dispatched to the server through a unique URL generated using the device’s serial number and the timestamp.
At the time of analysis, researchers were unable to ascertain the developers’ ultimate intentions. While it may be an experimental project, its structure and behavior suggest the potential for future deployment in malicious campaigns targeting sensitive data. Experts advise vigilance and recommend paying close attention to similar applications.
