{ "id": "b5c681dd-d62f-4c12-b2ae-e6fc44f5b0c2", "created_at": "2026-04-06T00:12:50.8503Z", "updated_at": "2026-04-10T03:36:48.18874Z", "deleted_at": null, "sha1_hash": "e0bea28097553694a059c9406566d0dd9aceca8e", "title": "Mac Malware Steals Cryptocurrency Exchanges’ Cookies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 690544, "plain_text": "Mac Malware Steals Cryptocurrency Exchanges’ Cookies\r\nBy Yue Chen, Cong Zheng, Wenjun Hu, Zhi Xu\r\nPublished: 2019-01-31 · Archived: 2026-04-05 14:45:36 UTC\r\nPalo Alto Networks’ Unit 42 recently discovered malware that we believe has been developed from\r\nOSX.DarthMiner, a malware known to target the Mac platform.\r\nThis malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and\r\nwallet service websites visited by the victims.\r\nIt also steals saved passwords in Chrome.\r\nFinally, it seeks to steal iPhone text messages from iTunes backups on the tethered Mac.\r\nBy leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like\r\nthis, we believe the bad actors could bypass multi-factor authentication for these sites.\r\nIf successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to\r\nuse those funds as if they were the user themselves.\r\nThe malware also configures the system to load coinmining software on the system. This software is made to look\r\nlike an XMRig-type coinminer, which is used to mine Monero. In fact, though, it loads a coinminer that mines\r\nKoto, a lesser-known cryptocurrency that is associated with Japan.\r\nBecause of the way this malware attacks the cookies associated with exchanges, we have named this malware\r\n“CookieMiner”.\r\nIn the following sections, we will first briefly introduce some background knowledge, and then dig into the\r\ntechnical details of the malware’s behaviors.\r\nBackground\r\nWeb cookies are widely used for authentication. Once a user logs into a website, its cookies are stored for the web\r\nserver to know the login status. If the cookies are stolen, the attacker could potentially sign into the website to use\r\nthe victim’s account. Stealing cookies is an important step to bypass login anomaly detection. If only the username\r\nand password are stolen and used by a bad actor, the website may issue an alert or request additional\r\nauthentication for a new login. However, if an authentication cookie is also provided along with the username and\r\npassword, the website might believe the session is associated with a previously authenticated system host and not\r\nissue an alert or request additional authentication methods.\r\nA cryptocurrency exchange is a place to trade cryptocurrencies for other assets, such as other digital\r\n(crypto)currencies or conventional fiat money. Most modern cryptocurrency exchanges and online wallet services\r\nhave multi-factor authentication. CookieMiner tries to navigate past the authentication process by stealing a\r\nhttps://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/\r\nPage 1 of 7\n\ncombination of the login credentials, text messages, and web cookies. If the bad actors successfully enter the\r\nwebsites using the victim’s identity, they could perform fund withdrawals. This may be a more efficient way to\r\ngenerate profits than outright cryptocurrency mining. Furthermore, attackers could manipulate the cryptocurrency\r\nprices with large-volume buying and/or selling of stolen assets resulting in additional profits.\r\nTechnical Details\r\nA rundown of CookieMiner’s behaviors (discussed in more detail in the following sections):\r\nSteals Google Chrome and Apple Safari browser cookies from the victim’s machine\r\nSteals saved usernames and passwords in Chrome\r\nSteals saved credit card credentials in Chrome\r\nSteals iPhone’s text messages if backed up to Mac\r\nSteals cryptocurrency wallet data and keys\r\nKeeps full control of the victim using the EmPyre backdoor\r\nMines cryptocurrency on the victim’s machine\r\nStealing Cookies\r\nThe CookieMiner attack begins with a shell script targeting MacOS. As shown in Figure 1, it copies the Safari\r\nbrowser’s cookies to a folder, and uploads it to a remote server (46.226.108[.]171:8000). The server hosts the\r\nservice “curldrop” (https://github[.]com/kennell/curldrop), which allows users to upload files with curl. The attack\r\ntargets cookies associated with cryptocurrency exchanges that include Binance, Coinbase, Poloniex, Bittrex,\r\nBitstamp, MyEtherWallet, and any website having “blockchain” in its domain name such as\r\nwww.blockchain[.]com.\r\nFigure 1. Code to steal web cookies\r\nStealing Credit Cards, Passwords, Wallets and SMS\r\nhttps://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/\r\nPage 2 of 7\n\nApple’s Safari is not the only web browser targeted. Google Chrome also attracts the threat actors’ attention due to\r\nits popularity. CookieMiner downloads a Python script named “harmlesslittlecode.py” to extract saved login\r\ncredentials and credit card information from Chrome’s local data storage (Figure 2).\r\nFigure 2. Malware extracts Chrome's secret data\r\nCookieMiner adopts techniques from the Google Chromium project’s code for its decryption and extraction\r\noperations and abuses them. Google Chromium is an open-source version of the Google Chrome browser. By\r\nabusing these techniques, CookieMiner attempts to steal credit card information from major issuers, such as Visa,\r\nMastercard, American Express, and Discover (Figure 3). The user’s saved login credentials are also stolen,\r\nincluding usernames, passwords, and the corresponding web URLs (Figure 4).\r\nhttps://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/\r\nPage 3 of 7\n\nFigure 3. CookieMiner extracts credit card information\r\nFigure 4. CookieMiner extracts login credentials\r\nhttps://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/\r\nPage 4 of 7\n\nCookieMiner reports all the wallet-related file paths to its remote server so it can later upload the files according\r\nto the C2 commands. These files usually include private keys of cryptocurrency wallets. If the victims use iTunes\r\nto backup files from iPhone to Mac (can be via Wi-Fi), their iPhone text messages (SMSFILE) will also be\r\nretrieved by the attackers (Figure 5).\r\nFigure 5. Malware steals wallets, cookies, passwords and SMS\r\nCryptocurrency Mining\r\nCookieMiner issues a series of commands to configure the victim’s machine to mine cryptocurrency and maintain\r\npersistence (Figure 6). The program xmrig2 is a Mach-O executable for mining cryptocurrency. As seen in Figure\r\n7, the address “k1GqvkK7QYEfMj3JPHieBo1m7FUkTowdq6H” has considerable mining performance. It has\r\nbeen ranked as a top miner in the Maruru mining pool (koto-pool.work).The cryptocurrency mined is called Koto,\r\nwhich is a Zcash-based anonymous cryptocurrency. The has addresses in Figure 8 use the “Yescrypt” algorithm\r\nwhich is good for CPU miners but not ideal for GPU miners. This is ideal for malware as the victim hosts are not\r\nguaranteed to have discrete GPUs installed in them but are guaranteed to have a CPU available. However, the\r\nfilename xmrig2 is usually used by Monero miners. We believe the malware authors may have intentionally used\r\nthis filename to create confusion since the miner is actually mining the Koto cryptocurrency.\r\nhttps://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/\r\nPage 5 of 7\n\nFigure 6. CookieMiner mines cryptocurrency\r\nFigure 7 Mining performance of the worker\r\nRemote Control\r\nFor persistence and remote control, the script downloads another base64-encoded Python script from\r\nhxxps://ptpb[.]pw/OAZG. After several steps of de-obfuscation, we found the attackers using EmPyre for post-exploitation control. EmPyre is a Python post-exploitation agent built on cryptologically-secure communications\r\nand a flexible architecture. The attacker is able to send commands to the victim’s machine for remote control.\r\nAdditionally, the agent checks if Little Snitch (an application firewall) is running on the victim’s host. If so, it will\r\nstop and exit.\r\nConclusion\r\nThe malware “CookieMiner” is intended to help threat actors generate profit by collecting credential information\r\nand mining cryptocurrency. If attackers have all the needed information for the authentication process, the multi-https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/\r\nPage 6 of 7\n\nfactor authentication may be defeated. Cryptocurrency owners should keep an eye on their security settings and\r\ndigital assets to prevent compromise and leakage.\r\nCustomers of Palo Alto Networks are protected by WildFire that is able to automatically detect the malware.\r\nAutoFocus users can track this activity by using the StealCookie tag.\r\nIndicators of Compromise\r\nSamples\r\nc65e65207f6f9f8df05e02c893de5b3c04825ac67bec391f0b212f4f33a31e80 uploadminer.sh\r\n485c2301409a238affc713305dc1a465afa9a33696d58e8a84e881a552b82b06 harmlesslittlecode.py\r\n27ccebdda20264b93a37103f3076f6678c3446a2c2bfd8a73111dbc8c7eeeb71 OAZG\r\n91b3f5e5d3b4e669a49d9c4fc044d0025cabb8ebb08f8d1839b887156ae0d6dd com.apple.rig2.plist\r\ncdb2fb9c8e84f0140824403ec32a2431fb357cd0f184c1790152834cc3ad3c1b com.proxy.initialize.plist\r\nede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05 xmrig2\r\nC2 Information\r\nhxxps://ptpb[.]pw/OAZG\r\n46.226.108[.]171\r\nSource: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/\r\nhttps://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" ], "report_names": [ "mac-malware-steals-cryptocurrency-exchanges-cookies" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434370, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e0bea28097553694a059c9406566d0dd9aceca8e.pdf", "text": "https://archive.orkl.eu/e0bea28097553694a059c9406566d0dd9aceca8e.txt", "img": "https://archive.orkl.eu/e0bea28097553694a059c9406566d0dd9aceca8e.jpg" } }