Supposedly shut down last November, the Stealer-as-a-Service nevertheless remains in active distribution through unknown sources

Many macOS users believe that the platform’s architecture and lower market share make it less vulnerable to malware.

However, the rise of the Banshee stealer disproves this assumption. Operating undetected, Banshee steals browser credentials, cryptocurrency wallets, passwords, and sensitive files, evading even experienced IT professionals. 

In November 2024, Banshee’s source code was leaked online, leading to improved detection but also raising concerns about new variants. Recent campaigns, likely by previous customers or private groups, continue to spread the malware. The latest version has even had its Russian language check removed, expanding its target range.

How Banshee operates

First discovered in mid-2024, Banshee was marketed as a “stealer-as-a-service” for US$3,000 on underground forums. According to Check Point Research (CPR), by September 2024, a new version was leveraging Apple’s XProtect antivirus string encryption to avoid detection.

Distributed through phishing websites and malicious code repositories disguised as popular software, the malware had operated undetected for months. Its sophisticated functionality includes:

  • Data theft: It targets browsers, cryptocurrency wallets, and Two-Factor Authentication (2FA) extensions to steal credentials, system details, and macOS passwords.
  • Deception: Uses convincing system pop-ups to trick users into providing sensitive information.
  • Detection evasion: Employs advanced anti-analysis techniques to avoid antivirus tools.
  • Data exfiltration: Sends stolen data to command-and-control servers via encrypted files.

The threat of Banshee underscores the broader risks of modern malware, including data breaches, cryptocurrency theft, and operational disruptions. Its success highlights the evolving nature of cyber threats, and the need for robust defenses. Despite the shutdown of Banshee’s public operation, CPR has identified ongoing distribution through phishing campaigns.

Businesses and users need to adopt proactive cybersecurity measures, including:

  • Advanced threat detection tools to combat evolving malware
  • Awareness training to identify phishing attempts and suspicious activity
  • Regular updates to maintain robust defenses against emerging threats

By staying informed and fostering a culture of caution, organizations can mitigate risks and maintain resilience against sophisticated cyber threats, according to CPR.