NovaStealer - Apple Intelligence is leaving a plist.. it is legit, right?
Essential information
- Published
- 14/11/2025 12:04
- Modified
- 14/11/2025 12:44
- Tags
- 2025-11-14 bash cryptostealer macos modular novastealer persistence phishing wallet-targeting
- Related entities
- 7 observables, 1 malware
Description
A cryptostealer for macOS utilizes a bash-based script to establish persistence and execute malicious modules. The malware installs itself in the ~/.mdrivers directory, uses screen sessions for background execution, and employs a LaunchAgent for persistence. It exfiltrates crypto wallet data, collects system information, and replaces legitimate wallet applications with malicious versions. The threat actor employs clever techniques like using WebKit to render phishing pages and tracking user behavior. While not highly sophisticated, the modular nature and ability to update components remotely make it a noteworthy threat.