TL;DR:
- SlowMist recognized macOS malware that may hijack Telegram Desktop classes and compromise crypto wallets by harvesting Keychain knowledge, Safari cookies, Apple Notes and pockets databases.
- Attackers can reuse authenticated Telegram session knowledge with out recent codes or two-step verification, then goal wallets by way of offline decryption or pretend Ledger and Trezor apps.
- Customers ought to terminate Telegram classes, change passwords and passcodes, generate new restoration phrases on clear gadgets and transfer property instantly.
A brand new macOS information-stealing marketing campaign is sharpening a well-recognized lesson for crypto customers: pockets safety can fail earlier than any blockchain transaction begins. SlowMist recognized malware able to hijacking Telegram Desktop classes and compromising cryptocurrency wallets by harvesting knowledge from the macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop and databases tied to greater than a dozen wallets. The assault targets the consumer’s native belief layer, the place saved passwords, authenticated classes and pockets recordsdata can grow to be sufficient for attackers to maneuver from machine entry towards account takeover.
Telegram classes grow to be the attacker’s bridge to wallets
The malware doesn’t depend on a single path. After amassing credentials and session knowledge, attackers can copy authenticated Telegram Desktop classes, pockets databases and browser pockets extension knowledge, then try offline decryption utilizing passwords stolen from the contaminated Mac. SlowMist additionally reproduced a second tactic: changing authentic Ledger Dwell and Trezor Suite functions with pretend variations designed to trick victims into getting into restoration phrases. The marketing campaign combines credential theft with phishing infrastructure, making it harmful even when personal keys are usually not instantly uncovered in plain textual content.

The Telegram angle is very troubling as a result of two-step verification might not cease the compromise. SlowMist’s testing restored stolen Telegram Desktop session knowledge on one other Mac without having a cellphone quantity, verification code or two-step verification password. Which means the attacker is just not making a recent login. They’re reusing a trusted native session already authorized by the sufferer’s machine. Session hijacking bypasses the consolation of login alerts, turning a compromised pc right into a bridge for social engineering, account monitoring and follow-on pockets assaults.
The pockets checklist reveals how vast the sweep is. The malware targets software program wallets together with Exodus, Atomic, Electrum, Wasabi and Monero, {hardware} pockets apps together with Ledger Dwell and Trezor Suite, and full-node consumer knowledge from Bitcoin Core, Litecoin Core, Sprint Core and Dogecoin Core. For suspected infections, SlowMist recommends terminating present Telegram classes, creating a brand new trusted login, altering the Telegram two-step verification password and Telegram Desktop Passcode, then producing a brand new restoration phrase on a clear machine and transferring property to new addresses. The defensive takeaway is uncompromising, as a result of as soon as a Mac is contaminated, rotating passwords alone will not be sufficient to guard wallets, classes and seed phrases throughout any critical pockets incident response.

