Hackers Goal macOS Customers with Faux Ledger Apps to Deploy Malware

Hackers are more and more focusing on macOS customers with malicious clones of Ledger Reside, the favored software for managing crypto property by way of Ledger chilly wallets.

Since August 2024, Moonlock Lab has been monitoring a malware marketing campaign that originally centered on stealing passwords and pockets particulars however has now advanced to extract seed phrases, enabling attackers to empty victims’ funds.

This surge in refined assaults, together with the current ByBit heist, highlights the rising exploitation of belief in chilly pockets safety instruments, turning them into vectors for cybercrime.

With 4 lively campaigns presently underway, the crypto group faces a heightened danger as risk actors refine their phishing techniques and malware supply mechanisms to bypass Ledger Reside’s strong defenses.

Subtle Phishing Campaigns

The evolution of those assaults is exemplified by the Atomic macOS Stealer (AMOS), which deploys a faux Ledger Reside app by means of a malicious DMG file, equivalent to JandiInstaller.dmg.

As soon as put in, it replaces the reliable app and shows misleading alerts about “suspicious exercise” or “important errors,” tricking customers into getting into their 24-word seed phrases.

These phrases are then transmitted to attacker-controlled servers by way of devoted URLs like hxxps://aimplyhired.com/obtain.php.

One other notable risk, the Odyssey stealer by actor Rodrigo, launched superior phishing pages since March 2025, fetching usernames from native paths and presenting convincing error messages to lure victims.

In the meantime, darkish net boards buzz with chatter about “anti-Ledger” options, as seen in posts by @mentalpositive, though their newest samples lack the marketed phishing capabilities, suggesting future updates.

From Knowledge Theft to Seed Phrase Heists

A marketing campaign uncovered by Jamf Risk Labs additional reveals a stealthy DMG file hosted at hxxp://138.68.93.230/Ledger-Reside.dmg, utilizing PyInstaller-packed binaries to evade detection whereas fetching phishing pages by means of iframes.

These multi-stage assaults usually mix AppleScript and Python to reap delicate information starting from browser credentials to crypto pockets configurations earlier than exfiltrating it to command-and-control (C2) servers.

Methods like VM detection to keep away from sandboxes and faux GUI dialogs to realize sudo privileges underscore the technical sophistication of those threats.

The AMOS marketing campaign, specifically, orchestrates an elaborate con by terminating the reliable Ledger Reside app, putting in a trojanized model, and guiding customers by means of a collection of phishing pages that culminate in seed phrase theft.

These pages, dynamically producing enter fields for restoration phrases, encode information in base64 earlier than transmitting it, whereas displaying deceptive messages like “App corrupted” to delay suspicion.

In line with the Report, This direct assault on Ledger Reside’s safety, which in any other case locks seed phrases past typical malware attain, demonstrates how attackers depend on social engineering to bypass technical safeguards.

As these campaigns proliferate, crypto homeowners should stay vigilant, downloading Ledger Reside solely from official sources, avoiding sharing seed phrases, and staying knowledgeable by way of trusted analysis like Moonlock Lab’s updates.

The rising curiosity in anti-Ledger schemes on darkish net platforms indicators that the subsequent wave of assaults is already in movement, posing a persistent risk to tens of millions of customers worldwide.

Indicators of Compromise (IoCs)

Discover this Information Fascinating! Comply with us on Google Information, LinkedIn, & X to Get On the spot Updates!