macOS Wallet Stealer Uncovered: “Nova” Malware Replaces Ledger/Trezor Apps with Phishing Clones for Seed Theft
Do Son 
A new macOS stealer campaignβinternally dubbed βNovaβ by researchersβhas been uncovered by reverse engineer Bruce, revealing a modular malware ecosystem designed to exfiltrate cryptocurrency wallets, harvest system telemetry, and silently replace Ledger and Trezor apps with phishing clones.
According to the analysis, the attack begins with an unknown dropper that silently executes a malicious installer script named mdriversinstall.sh. As Bruce writes, βAn unknown dropper fetches and runs mdriversinstall.sh, which installs a small scripts orchestrator under ~/.mdrivers and registers a LaunchAgent labeled application.com.artificialintelligence.β
From there, the malware establishes persistence, deploys a modular orchestrator, fetches additional Base64-encoded scripts from its command-and-control (C2) server, and runs them in detached screen sessionsβa behavior rarely seen in macOS malware.
Once installed, the orchestrator repeatedly communicates with the attackerβs backend to retrieve malicious modules.
Bruce notes,Β βThis orchestrator pulls additional scripts encoded in b64 from the C2, drops them under ~/.mdrivers/scripts, and runs them in detached screen sessions in the background.β
This architecture allows the operator to add, update, or remove functionality without reinfecting systems. As the report explains,Β βThis modular approach allows the operator to easily add, remove, or update malicious capabilities on the fly.β
The malware even checks for existing screen sessions before applying updatesβcleanly killing and restarting modules as needed.
The C2 currently serves four modules:
1. mdriversfiles.sh β Crypto Wallet Exfiltration
This module is dedicated to stealing cryptocurrency data. According to the report, it exfiltrates:
- Trezor Suite IndexedDB logs
- Exodus files such as passphrase.json and seed.seco
- Ledger Liveβs app.json
As Bruce states,Β βFor each found file it POSTs the raw file to the C2 in binary formβ¦ adding the User_ID as header.β
2. mdriversmetrics.sh β System and Application Profiling
The malware collects extensive telemetry, including:
- Installed apps
- Running processes
- Wallet-related checks
- Modification time of its own components
The report notes that this module: βcollects and curls a bunch of data about the system and its usage.β
3. mdriversswaps.sh β Wallet App Replacement (Phishing Swap Attack)
The most alarming capability involves replacing the real Ledger Live.app and Trezor Suite.app with attacker-controlled fakes.
Bruce highlights the growing trend,Β βApparently, swapping crypto wallet apps to gather seed phrases is becoming a new trend in MacOS stealers developers.β
The module:
- Deletes the legitimate apps
- Edits Dock and Launchpad entries
- Downloads malicious replacement apps from attacker servers
- Persists them under user-writable directories
- This ensures victims unknowingly launch the phishing apps.
4. mdriversusers.sh β Future User-Specific Abuse
Currently minimal, this module: βloads USER_ID and periodically sleepsβ¦ maybe the plan is to use this in the future for specific users.β
The replacement appsβunsigned Swift applications using WebKitβare nearly identical, each embedding a WebView that loads a phishing page.
The phishing pages use:
- BIP-39 and SLIP-39 wordlists for auto-validation
- Auto-advance UX to simulate legitimate wallet recovery flows
- Auto-submit telemetry, sending partial seed phrases as the user types
- Continuous activity tracking via /track endpoints
The report explains,Β βAny keypress sends whatever has been typed so far; this lets the server reconstruct phrases as the user types and obviates the need for a final βsubmit.ββ
Even subtle interactionsβhover events, mouse movementsβare logged: βClicks are POSTed to /trackβ¦ online activity every 10 seconds.β
This level of telemetry enables attackers to reconstruct seed phrases, passphrases, and user behavior.
Despite its modular design and persistent capabilities, Bruce points out the malware is not especially stealthy: βItβs not a complex threatβ¦ the fact that it leaves artifacts on the disk makes it easily detectable, but still interesting for some design choices.β
However, its ability to replace trusted wallet applications, paired with live phishing pages controlled remotely, makes the threat highly dangerous for cryptocurrency holders.
Related Posts:
- Nova Act Unveiled: Amazon’s AI Web Assistant Arrives
- Google Play Store Alert: New Phishing Apps Bypass Security, Stealing Crypto Wallet Seeds
- Malicious Packages Stealing Crypto Credentials: A Warning for Developers
- Crypto Tax Scam Sweeps Europe: Fake Government Sites Drain Wallets Via Seed Phrase Theft & Malicious Web3
- First Ever: Android Baohuo Backdoor Hides in Telegram X Clone, Uses Redis Database for C2 Commands
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
