SlowMist Warns macOS Users: MacSync Stealer Hijacks Telegram Sessions and Drains Crypto Wallets
SlowMist's MistEye system detected MacSync Stealer, a macOS infostealer that hijacks Telegram sessions, decrypts crypto wallets, and harvests seed phrases via fake app prompts.
SlowMist’s MistEye security monitoring system has caught a macOS infostealer — dubbed MacSync Stealer — that hijacks Telegram sessions and strips cryptocurrency wallets bare, and it’s an immediate problem for anyone running crypto on Apple hardware. The malware, documented in a SlowMist technical analysis, rides in through ClickFix-style malvertising and fake application download pages, including counterfeit Claude AI assistant sites that manipulate users into executing the payload themselves. You do the damage. The page just tells you to.
The Telegram angle is what separates this from a standard credential grab. Session-token theft doesn’t care about your password or your 2FA code — an attacker holding a valid session token walks straight into your account without touching either, and from there it’s a short trip to social-engineering your contacts, resetting linked services, or impersonating you in the crypto DMs where real money changes hands.
Two Tracks on the Crypto Side
First, the malware decrypts cryptocurrency wallets stored on the infected machine, exposing private keys and balances directly. Second — and this is what catches people who think they’re being careful — fake application prompts ask users to manually type in their wallet seed or recovery phrase, harvesting those words for immediate takeover. Twelve or twenty-four words entered into a prompt triggered by untrusted software is a complete handover of funds, full stop. Cyberpress reports that MacSync Stealer vacuums up credentials broadly, not just Telegram data; it’s a general-purpose infostealer with a crypto-focused payload bolted on top.
The macOS Problem
Both Jamf and SlowMist have flagged a MacSync variant that evades Apple’s built-in defenses — worth sitting with for anyone who has long treated the platform as inherently safer than Windows for crypto activity. The campaign deploys AppleScript-based techniques, consistent with research published by Netskope Threat Labs in April 2026 documenting macOS ClickFix lures that drop an AppleScript stealer with persistent remote-access capabilities. The “Macs don’t get malware” era is over.
Market Conditions Amplify the Risk
Market conditions right now are exactly the environment this kind of attack is engineered for. The Fear & Greed Index sits at 27/100 — deep in Fear territory — with BBTC$64,025.00▼0.04% trading at $62,832, down 1.87% over 24 hours, and total crypto market capitalization at $2,246.99B, off 1.7% on the day. Anxious holders scrolling for yield, airdrops, or any tool promising an edge are precisely the demographic that ClickFix lures and fake download pages are built to catch. Prices sliding, sentiment sour, and a fake Claude download page promising AI-powered trading insights sitting one click away — that’s the scenario MacSync Stealer is constructed around.
A Functioning Commercial Market for macOS Stealers
None of this is new territory, either. The earlier Atomic macOS Stealer — AMOS — sold on Telegram for $1,000 a month and targeted keychain passwords, system information, and crypto wallet data, and it proved there is a functioning commercial market for macOS-specific crypto stealers, with developers licensing access to affiliates who push the malware through phishing and malvertising. MacSync Stealer fits the same template: capable, multi-vector, and optimized to monetize a compromised machine fast.
The attack surface stretches well beyond macOS. A Florida man was recently indicted in a case involving crypto-stealing malware hidden inside Steam games — a reminder that threat actors are spreading across every platform where crypto holders can be lured into running untrusted code: gaming clients, productivity tools, AI assistants, all of it. The Mallory AI analysis of MacSync Stealer makes the same point: attackers don’t need exotic zero-days anymore. Users will voluntarily download and execute malicious software if the lure is convincing enough. That’s the whole play.
Defensive Posture for macOS Crypto Holders
Defensive posture for macOS crypto holders is simple to state and hard to maintain. Never type a recovery phrase into any application prompt — never, not once, not for any reason. Treat every download page reached through an ad, a Telegram LLINK$8.22▼1.82%, a Discord message, or an X post as untrusted until you’ve independently verified the source; pull applications only from official developer sites or the Mac App Store. And move fast if something looks wrong — a compromised Telegram session can be weaponized within minutes to target contacts for secondary wallet takeovers, so rapid session revocation matters more than most people realize.
SlowMist’s disclosure includes no victim counts and no figure for total assets stolen through MacSync Stealer. What the research does lay out clearly is the methodology: fake download pages, session-token theft, wallet decryption, seed-phrase phishing, all packaged in a form that gets past macOS defenses. The next development to watch is whether Apple pushes a detection update for the MacSync variant flagged by Jamf and SlowMist, and whether additional security vendors confirm the campaign’s reach as indicators of compromise circulate through the threat-intelligence community.