NovaStealer is a modular cryptostealer malware specifically targeting macOS users, focusing on stealing cryptocurrency wallet data. It uses a bash-based script to install itself in the hidden ~/.mdrivers directory, leveraging screen sessions to run malicious modules in the background without user detection. Persistence is achieved through the creation of a LaunchAgent plist, which ensures the malware executes on system startup. The malware collects detailed system information and replaces legitimate wallet applications with malicious versions to intercept user credentials and crypto transactions. Additionally, it uses WebKit to render phishing pages locally, enhancing the likelihood of credential theft by mimicking legitimate wallet interfaces. User behavior tracking is employed to optimize phishing and data exfiltration activities. The modular architecture allows the threat actor to remotely update components, adding flexibility and longevity to the campaign. Despite lacking advanced evasion techniques, the malware’s focus on cryptocurrency wallets—a high-value target—makes it a significant threat. No CVE or public exploit references exist, and it is not currently known to be widespread, but its presence in the macOS ecosystem is concerning given the increasing adoption of Apple devices and cryptocurrency in Europe.

For European organizations, especially those with employees or executives using macOS devices for cryptocurrency management or development, NovaStealer poses a significant risk of financial loss through theft of crypto assets. The malware’s ability to replace legitimate wallet applications can lead to undetected credential compromise and unauthorized transactions. The collection of system information may also expose sensitive corporate data or user privacy details. Organizations in fintech, cryptocurrency exchanges, and blockchain development sectors are particularly vulnerable. The persistence mechanisms and modular updates increase the difficulty of detection and removal, potentially leading to prolonged exposure. Given the growing adoption of macOS devices in European enterprises and the increasing interest in cryptocurrencies, the malware could impact both individual users and corporate environments, undermining trust and causing reputational damage. Additionally, phishing components may facilitate broader social engineering attacks within organizations.

European organizations should implement macOS-specific endpoint detection and response (EDR) solutions capable of monitoring LaunchAgents and unusual use of screen sessions. Regular audits of user LaunchAgents and hidden directories like ~/.mdrivers should be conducted to detect unauthorized persistence mechanisms. Employ application whitelisting to prevent execution of unauthorized scripts and binaries, particularly those attempting to replace wallet applications. Educate users on phishing risks, emphasizing the dangers of interacting with suspicious links or applications, especially those related to cryptocurrency. Deploy network monitoring to detect unusual outbound connections indicative of data exfiltration. Use strong multi-factor authentication (MFA) for cryptocurrency wallets and related services to reduce the impact of credential theft. Encourage users to verify wallet application integrity via official sources and hashes. Maintain up-to-date backups of critical data and wallet keys in secure offline storage. Finally, monitor threat intelligence feeds for updates on NovaStealer and related indicators of compromise (IOCs) to enable timely detection and response.