{ "id": "2a3fbdcd-c9ca-4295-987c-ed76d67e6499", "created_at": "2026-04-06T01:29:13.496355Z", "updated_at": "2026-04-10T13:11:59.586939Z", "deleted_at": null, "sha1_hash": "7a6658142229753fc45da2864f9553a9591a13da", "title": "The source code of Banshee Stealer leaked online", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 951338, "plain_text": "The source code of Banshee Stealer leaked online\r\nBy Pierluigi Paganini\r\nPublished: 2024-11-26 · Archived: 2026-04-06 00:42:06 UTC\r\n Pierluigi Paganini November 26, 2024\r\nBanshee Stealer, a MacOS Malware-as-a-Service, shut down after its source code\r\nleaked online. The code is now available on GitHub.\r\nIn August 2024, Russian hackers promoted BANSHEE Stealer, a macOS malware targeting x86_64 and ARM64,\r\ncapable of stealing browser data, crypto wallets, and more.\r\nBANSHEE Stealer supports basic evasion techniques, relies on the sysctl API to detect debugging and checks for\r\nvirtualization by running a command to see if “Virtual” appears in the hardware model identifier.\r\nThe malware avoids targeting Russian systems by checking the user’s language settings via the\r\nCFLocaleCopyPreferredLanguages API, though this can be bypassed.\r\nThe discovery of the malware highlights the growing focus on macOS-specific malware as the platform becomes a\r\nmore frequent target for cybercriminals.\r\nhttps://securityaffairs.com/171423/malware/the-source-code-of-banshee-stealer-leaked-online.html\r\nPage 1 of 3\n\nResearchers at Elastic Security Labs analyzed the malware and confirmed it can steal keychain passwords and\r\ndata from multiple browsers.\r\nBanshee Stealer can target data from nine different browsers, Chrome, Firefox, Brave, Edge, Vivaldi, Yandex,\r\nOpera, OperaGX, and Safari. The malware can collect cookies, logins and browsing history, but from Safari only\r\ncookies can be collected. Elastic researchers noticed that regarding Safari, only the cookies are collected by the\r\nAppleScript script for the current version.\r\n“Additionally, data from approximately 100 browser plugins are collected from the machine. A list of these\r\nextension IDs is provided at the end of the blog post.” reads the report published by Elastic Security Labs. “The\r\ncollected files are saved under \u003ctemporary_path\u003e/Browsers.”\r\nBanshee Stealer can also steal cryptocurrency from different wallets, including Exodus, Electrum, Coinomi,\r\nGuarda, Wasabi Wallet, Atomic and Ledger. \r\nAfter collecting data, the malware compresses the temporary folder containing them into a ZIP file using the ditto\r\ncommand. The ZIP file is then XOR encrypted, base64 encoded, and sent via a POST request to a specified URL\r\nusing the built-in cURL command.\r\n“BANSHEE Stealer is macOS-based malware that can collect extensive data from the system, browsers,\r\ncryptocurrency wallets, and numerous browser extensions.” concludes the report. “Despite its potentially\r\ndangerous capabilities, the malware’s lack of sophisticated obfuscation and the presence of debug information\r\nmake it easier for analysts to dissect and understand. While BANSHEE Stealer is not overly complex in its design,\r\nits focus on macOS systems and the breadth of data it collects make it a significant threat that demands attention\r\nfrom the cybersecurity community.”\r\nThis week, the source of the Banshee Stealer, the MacOS-based Malware-as-a-Service (MaaS) infostealer, has\r\nbeen leaked online, researchers at VXunderground reported.\r\nThe operators behind the MaaS have shut down their operations after the data leak.\r\nVXunderground archived the leak and published it on GitHub.\r\nhttps://securityaffairs.com/171423/malware/the-source-code-of-banshee-stealer-leaked-online.html\r\nPage 2 of 3\n\n“Yesterday Banshee Stealer, the MacOS-based Malware-as-a-Service infostealer, had their source code leaked\r\nonline. As a result of the leak they’ve shut down their operations. We’ve archived the leak and made it available\r\nfor download on GitHub.”\r\nFollow me on Twitter: @securityaffairs and Facebook and Mastodon\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, BANSHEE Stealer)\r\nSource: https://securityaffairs.com/171423/malware/the-source-code-of-banshee-stealer-leaked-online.html\r\nhttps://securityaffairs.com/171423/malware/the-source-code-of-banshee-stealer-leaked-online.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securityaffairs.com/171423/malware/the-source-code-of-banshee-stealer-leaked-online.html" ], "report_names": [ "the-source-code-of-banshee-stealer-leaked-online.html" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438953, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a6658142229753fc45da2864f9553a9591a13da.pdf", "text": "https://archive.orkl.eu/7a6658142229753fc45da2864f9553a9591a13da.txt", "img": "https://archive.orkl.eu/7a6658142229753fc45da2864f9553a9591a13da.jpg" } }