The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Banshee MacOS Stealer

Jan 17, 2025 2:31:03 PM / by The Hivemind

BANSHEE

Executive Summary

Banshee is a stealer that targets MacOS systems. The latest variant of Banshee uses a string encryption algorithm that is the same as the one used in Apple’s Xprotect antivirus engine for MacOS systems.

Key Takeaways

  • Banshee is a stealer that targets MacOS systems. 
  • Banshee is capable of stealing browser and login credentials, cryptocurrency wallets, and other sensitive information.
  • Banshee is distributed primarily via phishing websites and malicious GitHub repositories. 
  • The latest variant of Banshee uses a string encryption algorithm that is the same as the one used in Apple’s Xprotect antivirus engine for MacOS systems. 

What is Banshee?

Banshee is a stealer that targets MacOS systems. It has been active since at least July 2024 and has been linked to Russian-speaking threat actors. Check Point Research reported on Banshee. 

At least two versions of Banshee have been observed in the wild. The original version of Banshee was leaked on XSS forums. The newer version of Banshee remained undetected for over two months before being discovered. Check Point Research noted a difference between the leaked source code and the newer Banshee variant. The newer variant uses a string encryption algorithm that is the same as the one used in Apple’s Xprotect antivirus engine for MacOS systems. Banshee managed to evade detection until its source code was leaked on XSS forums, allowing security vendors to create a means of detection.

Banshee targets MacOS devices and is capable of stealing browser and login credentials, cryptocurrency wallets, and other sensitive information. Banshee can steal credentials from multiple browsers, including Chrome, Brave, Edge, Vivaldi, Yandex, and Opera. Crypto wallets targeted by Banshee include Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger. Banshee also attempts to steal a user’s MacOS password. 

Banshee is distributed primarily via phishing websites and malicious GitHub repositories. In some distribution campaigns, both Windows and MacOS users were targeted, with Lumma stealer being delivered to Windows machines and Banshee delivered to MacOS machines. Banshee continues to be distributed via phishing websites, disguised as legitimate software. 

Banshee initially operated as a stealer-as-a-service. It was advertised on Telegram and underground forums and cost $3000 USD. However, following the source code’s leak in November, the threat actor responsible for Banshee reportedly ceased operations. While Banshee no longer operates with an as-a-service model, other threat actors have continued to distribute Banshee, meaning it still remains a viable threat. Additionally, it is possible for other threat actors to create new variants based on the original Banshee source code. 

IOCs

PolySwarm has multiple samples of Banshee.

 

Ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038

d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c2

 

You can use the following CLI command to search for all Banshee samples in our portal:

$ polyswarm link list -f Banshee

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Infostealer, MacOS, Banshee

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More