Ddos 
Image: Iru
A bizarre new threat has emerged on the macOS landscape, one that relies on a classic misconception to trick users into compromising their own systems. On January 6, 2026, security researcher Calvin So at Iru uncovered a suspicious Mach-O binary masquerading as a Windows executable. Dubbed MonetaStealer, this malware is a Mac application dressed up as a Windows file—designed to plunder cryptocurrency wallets, browser secrets, and keychain data.
The malware arrives with the filename Portfolio_Review.exe. For many macOS users, seeing a .exe file usually signals safety—Windows executables simply don’t run on Macs without specific translation software. However, Iru’s analysis reveals this file is actually an unsigned Mach-O binary.
“Portfolio_Review.exe is an unsigned Mach-O binary that uses a deceptive .exe extension to mislead macOS users. This naming convention exploits a common misconception that Windows executables are harmless to Mac systems.”
Under the hood, the malware uses PyInstaller to bundle a Python environment. The malicious logic is hidden inside a compressed file named portfolio_app.pyc. Because these files remain bundled until execution, “they bypass basic static file scanners that only inspect the surface-level Mach-O structure.”
Upon decompilation, the code reveals a mix of Russian-language comments and what appears to be AI-generated structure. The script boldly announces itself with the print line: PROFESSIONAL MACOS STEALER v2.0.
Despite the bravado, the malware appears to be in its infancy. “Researchers believe it is still in its very early development phase and relies heavily on AI code,” the analysis notes. This “early phase” status makes it particularly dangerous for detection engines; essentially, it is too new to have a signature.
“MonetaStealer maintains a zero-detection rate on VirusTotal as of the time of writing.”
Once executed, MonetaStealer aggressively targets high-value data. It specifically checks if it is running on darwin (macOS) before launching its modules.
- 1. Browser Data: The malware focuses on Google Chrome, aiming to extract passwords, cookies, and history. It uses a clever technique to avoid corrupting the browser’s operation while stealing data.
- 2. Cryptocurrency Wallets: The script crawls standard directories like ~/Documents and ~/Library/Application Support hunting for wallets including Metamask, Exodus, Electrum, Phantom, and Binance. It scans files for seed phrases and private keys using regex patterns.
- 3. System Secrets: Perhaps most intriguingly, the malware attempts to loot the macOS Keychain and Wi-Fi credentials. It runs the native command security find-generic-password to retrieve Wi-Fi passwords and dumps the keychain searching for keywords like “crypto,” “bank,” and “paypal.”
The system will prompt the user for their login password to authorize access to the keychain—a “security wants to use your confidential information” popup that might alert savvy users.
Interestingly, Iru researchers also found a Windows version of the malware, also named Portfolio_review.exe. This variant was intended to display a fake “Portfolio” using the Tkinter library to deceive recruiters, likely as a distraction while the malware ran in the background. However, due to “dead logic and placeholders,” this version currently “does not run.”
MonetaStealer represents a growing trend of “Malware-as-a-Service” operations targeting macOS, leveraging cross-platform languages like Python to lower the barrier to entry. While this specific sample relies on social engineering and user permission prompts to succeed, its zero-detection rate serves as a stark reminder: never trust a file extension, and always scrutinize unexpected password prompts.
Related Posts:
- NimDoor: North Korean APT Uses Nim-Based Malware for Stealthy Web3 & Crypto Attacks on macOS!
- PoC Available: macOS Sequoia Flaw Allows Keychain Dump and TCC Bypass (CVSS 9.8)
- New macOS Infostealer: AppleProcessHub Uses Objective-C to Steal Developer Data
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
