Malware, Threat Intelligence
Cthulhu Stealer malware scams macOS users — and its own affiliates

A newly identified malware-as-a-service known as Cthulhu Stealer targets macOS users, first luring them in by imitating legitimate software and then stealing up to two dozen different types of data.Cthulhu Stealer is believed to be based on another macOS MaaS called Atomic Stealer, but charges affiliates half the price — $500 per month versus the $1,000 a month cybercriminals shill out for Atomic Stealer. Details about the stealer, which first emerged in late 2023, were revealed in a blog post by Cado Security on Thursday.“The groups behind Cthulhu and Atomic are distinct, but there are notable similarities between the stealers. Atomic Stealer comes with a control panel for purchasers, whereas Cthulhu doesn’t seem to,” Tara Gould, threat research lead at Cado Security told SC Media. “While there are minor differences in the targeted file storage locations, recent versions of Atomic Stealer include encryption routines for obfuscation, with other versions containing payloads encoded in Base64.”One notable similarity between Cthulhu and Atomic is the use of the macOS command-line tool osascript to prompt the user for their password to access items stored in Keychain; spelling mistakes in the code also appear to carried over from Atomic to Cthulhu. However, unlike Cthulhu, Atomic Stealer “appears to be actively maintained with regular updates and new variants frequently released,” Gould noted, whereas the operator of Cthulhu, also known as Balaclavv, was permanently banned from the cybercrime marketplace Cthulhu Stealer was originally advertised on due to allegedly scamming its own affiliates out of thousands of dollars.Posts on the cybercrime site in March 2024 accused Cthulhu of failing to pay affiliates their cut of money stolen from victims through deployment of the MaaS, with one affiliate claiming the operator owed them $4,500.“The surprising part of Cthulhu Stealer is the amount of money that the group managed to steal through deploying the stealer. In the grand scheme of malware, it isn’t a large amount of money, but it shows that users were still able to become infected,” Gould noted. “Mac’s inbuilt security tools, such as GateKeeper, should ensure binaries are signed to run, however this could be due to the macOS version that the user has.”
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds