MacOS malware hijacks Telegram sessions, targets crypto wallets: SlowMist
A macOS infostealer can hijack Telegram Desktop sessions and steal cryptocurrency wallet data. It pulls secrets from the macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop, and databases from many crypto wallets. After collecting passwords and authenticated sessions, it can copy Telegram session files, wallet databases, and browser extension data. With the stolen data, attackers may decrypt wallet databases offline using harvested passwords or swap legitimate Ledger and Trezor apps with fake versions to trick users into revealing recovery phrases. The malware targets popular software wallets like Exodus, Atomic, Electrum, Wasabi, and Monero, plus hardware-wallet apps and full-node clients such as Bitcoin Core and Litecoin Core. Telegram two-step verification does not stop the attack because the malware reuses an existing local session. Recommended defenses include ending all Telegram sessions, creating a new trusted login, changing Telegram passwords and passcodes, and moving funds to new wallets created on a clean device.
