{
	"id": "76f6f593-0deb-465e-ad34-8e5fb87194da",
	"created_at": "2026-04-06T01:30:28.36671Z",
	"updated_at": "2026-04-10T03:21:58.414648Z",
	"deleted_at": null,
	"sha1_hash": "0ebbcfc70a634f4ed393cdc08e15a11bcf988115",
	"title": "Session Cookies, Keychains, SSH Keys and More | 7 Kinds of Data Malware Steals from macOS Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8786567,
	"plain_text": "Session Cookies, Keychains, SSH Keys and More | 7 Kinds of Data\r\nMalware Steals from macOS Users\r\nBy Phil Stokes\r\nPublished: 2023-03-22 · Archived: 2026-04-06 00:36:26 UTC\r\nThe scourge of ransomware attacks that has plagued Windows endpoints over the past half decade or so has,\r\nthankfully, not been replicated on Mac devices. With a few unsuccessful exceptions, the notion of locking a Mac\r\ndevice and holding its owner to ransom in return for access to the machine and its data has not yet proven an\r\nattractive proposition for attackers.\r\nHowever, the idea of stealing valuable data and then monetizing it in nefarious ways is a tactic that is now\r\ncommon across platforms. On macOS, threat actors will quietly exfiltrate session cookies, keychains, SSH keys\r\nand more as malicious processes from adware to spyware look to harvest data that can be recycled and sold on\r\nvarious underground forums and marketplaces, or used directly in espionage campaigns and supply chain attacks.\r\nIn recent posts, we have looked at how threat actors deliver payloads to macOS targets and how they attempt to\r\nevade detection. In this post, we look at the data assets targeted by macOS malware in some of the most recent in-the -wild incidents in order to help defenders better protect the enterprise and hunt for signs of compromise.\r\nOne of the top targets for observed macOS malware are session cookies stored on user’s devices. For convenience\r\nand productivity, browsers and many enterprise apps that are designed to work across devices, such as Slack,\r\nTeamViewer, Zoom and similar, allow the user to remain logged in until they explicitly log out.\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 1 of 12\n\nThe Slack App allows infinite sessions until the user explicitly logs out\r\nThis is achieved by storing a session cookie on the device. In the event that a process or user copies and steals\r\nthose cookies, they can use them on a different device to log in without authentication.\r\nThe theft of session cookies from a Mac computer was implicated in the recent CircleCI breach. According to\r\nCirlceCI’s public statement:\r\n“To date, we have learned that an unauthorized third party leveraged malware deployed to a CircleCI engineer’s\r\nlaptop in order to steal a valid, 2FA-backed SSO session. This machine was compromised on December 16, 2022.\r\nThe malware was not detected by our antivirus software. Our investigation indicates that the malware was able to\r\nexecute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then\r\nescalate access to a subset of our production systems.\r\nBecause the targeted employee had privileges to generate production access tokens as part of the employee’s\r\nregular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and\r\nstores, including customer environment variables, tokens, and keys”.\r\nSession cookies can be stored anywhere, but typically they are in locations which can be accessed by the user or a\r\nprocess running as the user. Some locations, such as the User’s Library Cookies folder, may be restricted by TCC\r\nunless the parent process has Full Disk Access or uses one of the many known TCC bypasses. Real world attacks\r\n(e.g., XCSSET) and researchers have consistently shown that TCC, while often a nuisance to users, does not\r\npresent a significant obstacle to attackers.\r\nHere are some common examples of locations that store session cookies on macOS:\r\n~/Library/Cookies/*.binarycookies\r\nChrome: ~/Library/Application Support/Google/Chrome/Default/Cookies\r\nFirefox: ~/Library/Application Support/Firefox/Profiles/[Profile Name]/\r\nSlack : ~/Library/Application Support/Slack/Cookies (file)\r\n ~/Library/Application Support/Slack/storage/*\r\n ~/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/storag\r\nAn excellent post on abusing Slack and session cookies for offensive security was written by Cody Thomas here.\r\nIn addition, encrypted and unencrypted databases associated with enterprise software can also be targeted by\r\ncriminals and crimeware. Weakly encrypted databases may be decryptable with a little work and knowledge of the\r\nuser’s password, often scraped by malware installers upon initial compromise. Zoom’s encrypted database, for\r\nexample, is targeted by the Pureland infostealer.\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 2 of 12\n\nPureland Infostealer searches for Zoom encrypted database, among other items\r\n~/Library/Application Support/zoom.us/data/zoomus.enc.db\r\nPureland Info Stealer hosted on Dropbox (Source: VirusTotal)\r\n2. Login Keychain\r\nPerhaps prized above all data on a user’s Mac is the user’s keychain, an encrypted database used to store\r\npasswords, authentication tokens and encryption keys. The keychain uses strong encryption that can’t be broken\r\nsimply by stealing the database or even accessing the computer. However, the weakness of the keychain is that its\r\nsecrets can all be unlocked if the attacker knows the user’s login password. If that password is weak, easily\r\nguessable, or – as is most common – voluntarily given up to a malicious process by request, the strength of the\r\nkeychain’s encryption is entirely irrelevant.\r\nUnsurprisingly, malware authors are known to target exfiltrating the keychain database. Recent examples include\r\nDazzleSpy and a threat that was initially reported on by researchers at Trend Micro last November and dubbed,\r\nappropriately enough, KeySteal. Apple belatedly added detections for KeySteal in XProtect v2166 and\r\nXProtectRemediator released in March 2023.\r\nKeySteal targets files with the .keychain and keychain-db file extensions in the following locations:\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 3 of 12\n\n/Library/Keychains/\r\n~/Library/Keychains/\r\nThe deviceIdentityServerVerify function serves to enumerate keychains on the victim device\r\nThe keychain is then base64-encoded and encrypted by means of an open-source Chinese crypto library called\r\nJKEncrypt, a “home-rolled” cryptographic function that uses the legacy (and largely discouraged) 3DES (triple\r\nDES) algorithm.\r\n3. User Login Password\r\nAs noted, a user’s login keychain is of little use to an unauthorized party unless they also possess the login user’s\r\npasswords, and as login passwords serve as either necessary or sufficient authentication for almost every other\r\noperation on a Mac device, they are highly sought after by threat actors.\r\nPassword theft can be accomplished in a number of ways: through spoofing, through keylogging or simply by\r\nasking for authorization for some trivial task and using that authorization for something more nefarious.\r\nMalware will typically ask a victim to elevate privileges so that it can install a privileged executable that will\r\nsubsequently run as root and accomplish whatever tasks the attacker has in mind; often, LaunchDaemons are used\r\nfor this. A good example of this TTP is seen in the CloudMensis/BadRAT spyware discovered independently by\r\nboth ESET and Volexity.\r\nCloudMensis/BadRAT achieves privilege escalation by requesting permissions from the user on\r\ninstall (source: VirusTotal)\r\nIn the case of Pureland InfoStealer, it presents the user with a dialog alert to capture the user’s password and uses\r\nthat to unlock the Keychain via the SecKeychainUnlock API.\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 4 of 12\n\nPureland Infostealer grabs the user’s password to unlock the keychain\r\n4. Browser Passwords \u0026 Data\r\nMany macOS users continue to take advantage of browsers to store website login credentials and passwords.\r\nThese and other useful data such as sites where the user has filled in login credentials, browser history, search\r\nhistory and download history are all of interest to threat actors.\r\nPureland infostealer provides another recent example, though XLoader, ChromeLoader and a variety of other\r\nmacOS malware and adware also targets browser data. Pureland executes the following command as part of its\r\ngetChromeSSPass function.\r\nsecurity 2\u003e\u00261 \u003e /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}' \u003e /Users/\r\nStrings related to Chrome data theft in Pureland Infostealer\r\nThe malicious process needs to have elevated privileges and bypass the usual TCC controls in order to succeed;\r\notherwise, the user will be alerted to the attempt by at least one authentication prompt.\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 5 of 12\n\nThe security command line tool requires authentication\r\n5. SSH Keys\r\nIn late 2021, users of Chinese search engine Baidu were targeted with a number of trojanized versions of popular\r\nnetworking and admin tools, including iTerm2, SecureCRT, MS Remote Desktop for Mac and Navicat15. The\r\nmalware came to be known as OSX.Zuru and included among its components a Python script that it dropped at\r\n/tmp/g.py .\r\nPython component of OSX.Zuru (/tmp/g.py)\r\nshutil.copytree(ssh, foldername + '/ssh')\r\nThe script copied and exfiltrated a number of items, among which were any SSH keys located on the victims’\r\ndevice.\r\nIn May 2022, macOS Rust developers were targeted in the CrateDepression typosquatting attack. CrateDepression\r\ninvolved infecting users who had the GITLAB_CI environment variable set on their devices, indicating the\r\nattacker’s interest in Continuous Integration (CI) pipelines for software development.\r\nSuccessful compromise of a host device led to a Poseidon payload, which among other things, could search for\r\nand exfiltrate SSH keys.\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 6 of 12\n\nPoseidon agent hunts for SSH and AWS keys on the compromised device\r\nIt is also worth noting that aside from malware that hardcodes SSH data theft, any backdoor RAT that has the\r\nability to execute commands and upload files to a remote server can hunt for SSH keys.\r\nPossession of a victim’s SSH keys could allow attackers to authenticate themselves on the victim’s system. The\r\nSSH folder may also contain configuration files that allow access to other accounts on the same system or other\r\nsystems on the same network.\r\nIn addition to stealing SSH keys, if an attacker can gain write access to the SSH folder, they can also drop their\r\nown authorized keys to allow backdoor remote access.\r\n6. Serial Number, Hardware, \u0026 Other Environmental Info\r\nA common behavior of many macOS malware threats is to query for and exfiltrate a variety of environmental data\r\nfrom the hosts. This can be used to fingerprint devices for a variety of reasons, including selective delivery of\r\nmalware and execution of malware. For example, a C2 can be automated to deliver malware specific to a\r\nparticular platform (macOS, Linux, Windows) and even to a specific version of that platform.\r\nCustom malware can be delivered that exploits vulnerabilities in one OS version but not another. Similarly, a\r\nthreat actor may distribute malware to a wide variety of victims, such as through malvertising or poisoned\r\ndownloads, but only deliver the payload to very specific victims whose environment matches that the attacker is\r\ninterested in (see the discussion of CrateDepression above).\r\nIf an attacker has advanced knowledge of the target’s environment, such as the device UUID or user account\r\nname, they can create a hash of that information and only execute if the infected device’s information matches.\r\nThis kind of selective delivery and execution allows threat actors to spread their disposable malware droppers\r\nwidely while keeping their specialized payloads out of sight.\r\nDazzleSpy provides a good example of this technique. The malware polls its environment for a great deal of\r\nenvironmental data.\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 7 of 12\n\nDazzleSpy surveils its host environment in great detail\r\nDazzleSpy Method System/API Call\r\nmethod.MethodClass.getDiskSystemSize\r\nUses NSFileManger’s defaultManager to grab\r\nNSFileSystemSize from attributesOfFileSystemForPath\r\nmethod.MethodClass.getAllhardwareports Shell’s out via networksetup listallhardwareports\r\nmethod.MethodClass.getIPAddress getifaddrs()\r\nmethod.MethodClass.clearTrace Uses NSFileManager’s removeItemAtPath to clear various logs\r\nmethod.MethodClass.serialNumber\r\nUses IOServiceGetMatchingService and\r\nIOPlatformExpertDevice to grab kIOPlatformSerialNumberKey\r\nmethod.MethodClass.getSystemVersion\r\nUses NSDictionary(contentsOfFile:\r\n“/System/Library/CoreServices/SystemVersion.plist”) and grabs\r\nthe objectForKey:”ProductVersion”\r\nmethod.MethodClass.getSystemDate Retrieves the time relative to Asia_Shanghai timezone\r\nmethod.MethodClass.getUserName Calls NSFullUserName()\r\nmethod.MethodClass.getWifiName\r\nUses the CWWiFiClient shared instance to get the SSID\r\nproperty from interface()\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 8 of 12\n\nDazzleSpy disassembly for discovering the victim’s Wifi client SSID\r\n7. Pasteboard Contents\r\nThe pasteboard or clipboard as it’s more generally known, stores text, images and other data in memory when the\r\nuser executes the copy function available in applications and system-wide via the keyboard hotkey “Cmd-C”.\r\nThe pasteboard is attractive to malware authors as a target for data such as passwords, cryptocurrency addresses\r\nand other data either to steal or to replace. For example, some cryptocurrency stealers will monitor for the user\r\ncopying a wallet address to the pasteboard and then replace it with one belonging to the attacker.\r\nGrabbing and writing to the pasteboard is relatively easy as Apple provides the Foundation framework\r\nNSPasteboard APIs as well as the Unix command-line utilities pbcopy and pbpaste for this very purpose.\r\nA good example of Pasteboard leverage is provided by the EggShell RAT. This customized version was used in\r\nXcodeSpy malware.\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 9 of 12\n\nThe getPasteBoard function in the EggShell RAT used in XcodeSpy\r\nXLoader similarly uses NSPasteboard, but attempts to hide the strings on the stack.\r\nStack strings seen in Xloader Info Stealer on macOS\r\nMitigations and Opportunities for Detection\r\nAs Macs have become increasingly popular in the enterprise among leadership and development teams, the more\r\nimportant the data stored on them is to attackers.\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 10 of 12\n\nMitigations for all these kinds of attacks begin with an endpoint security solution that can both block known and\r\nunknown malware and also offer security teams visibility into what is happening on the device.\r\nThreat hunters should regularly monitor for processes attempting to access keychain, SSH and other file paths\r\ndiscussed above.\r\nSentinelOne customers can take advantage of PowerQuery and STAR rules to rapidly hunt for and alert on\r\nsuspicious events relating to sensitive user data.\r\nAlthough macOS’s TCC mechanism leaves much to be desired, it is nevertheless important to keep macOS\r\nendpoints up to date as Apple regularly patches TCC and other vulnerabilities reported by researchers as well as\r\nthose actively seen in the wild.\r\nConclusion\r\nStealing data is not the only objective malware and malware authors may have in mind, but it is usually involved\r\nsomewhere along the chain of compromise, either as a means to an end or an end in itself. On macOS, data\r\nprotection has become increasingly important as the platform has gained popularity in enterprise environments.\r\nAwareness of the kind of data recent malware targets and the ways in which that data is accessed by malicious\r\nprocesses is a crucial part of better equipping security teams to defend the organization’s assets.\r\nIf you would like to learn more about how SentinelOne Singularity and its native architecture agent can protect\r\nyour macOS fleet, contact us or request a free demo.\r\nIndicators of Compromise\r\nCloudMensis/BadRAT\r\nd7bf702f56ca53140f4f03b590e9afcbc83809db\r\n0aa94d8df1840d734f25426926e529588502bc08\r\nc3e48c2a2d43c752121e55b909fc705fe4fdaef6\r\nDazzleSpy\r\nee0678e58868ebd6603cc2e06a134680d2012c1b\r\nEggShell RAT\r\n556a2174398890e3d628aec0163a42a7b7fb8ffd\r\nKeySteal \r\n26622e050d5ce4d68445b0cdc2cb23f9e27318ba\r\n3951a7bd03e827caf7a0be90fdfc245e6b1e9f8a\r\n5a8a7e665fdd7a422798d5c055c290fa8b7356d9\r\n749ee9eaa0157de200f3316d912b9b8d8bb3a553\r\n79c222b00b91801bb255376c9454d5bc8079c4a9\r\n7f537a0a77fc8d629b335d52ffef40ea376bd673\r\n8446f80f073db57466459bcbfcaefda3c367cd52\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 11 of 12\n\nb81bf1b65b8ec0a11105d96cc9f95bb25214add5\r\nca985f4395e47f1bf9274013b36a0901343fc5a5\r\nd2314f1534ecc1ab97f03cdacf9ed05349f5c574\r\nd4e30bce71e025594339dacf4004075fa22962ea\r\nd85b6531843d5c29cc3bbb86e59d47249db89b9a\r\nd8cd78c16ca865d69f2eb72212b71754f72b4479\r\nPoseidon\r\ncb8be6d2cefe46f3173cb6b9600fb40edb5c5248\r\nc91b0b85a4e1d3409f7bc5195634b88883367cad\r\nPureland InfoStealer\r\n0b5153510529e21df075c75ad3dbfe7340ef1f70\r\n1eec28e16be609b5c678c8bb2d4b09b39aa35c05\r\n2480d3f438693cf713ce627b8e67ab39f8ae6bea\r\n308cb5cbc11e0de60953a16a9b8ad8458b5eda67\r\n397d5edae7086bb804f9384396a03c52c2b38daa\r\n398de17ae751f7b4171d6d88c8d29ee42af9efb5\r\n406c7c1f81c3170771afc328ca0d3882ee790e98\r\n411482a5cebe1fc89661cc0527047fa4596ed2d6\r\n49d7c260e89dd5bc288111cbe2bf521e95bbe199\r\n68be8c909a809487d2a3ae418d7ec5adf9d770cb\r\n8baf7c147d3d54b8e2a2e6e26d852028d03ee64b\r\n8e698a7f186b7eda34a56477d5e86e0ad778b53d\r\naa033e9f102bc8d98360e6079da3c8b4d7e2d3c8\r\nacc1139ecfa0a628edf89b70a3e01a1424a00d5b\r\nf462fa129de484b0cf09a9b4d975b168e5c69370\r\nXLoader\r\n7edead477048b47d2ac3abdc4baef12579c3c348\r\n958147ab54ee433ac57809b0e8fd94f811d523ba\r\nfb83d869f476e390277aab16b05aa7f3adc0e841\r\nOSX.Zuru\r\n20acde856a043194595ed88ef7ae0b79191394f9\r\nSource: https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nhttps://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/"
	],
	"report_names": [
		"session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users"
	],
	"threat_actors": [],
	"ts_created_at": 1775439028,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ebbcfc70a634f4ed393cdc08e15a11bcf988115.pdf",
		"text": "https://archive.orkl.eu/0ebbcfc70a634f4ed393cdc08e15a11bcf988115.txt",
		"img": "https://archive.orkl.eu/0ebbcfc70a634f4ed393cdc08e15a11bcf988115.jpg"
	}
}