macOS Wallet Stealer Uncovered: “Nova” Malware Replaces Ledger/Trezor Apps with Phishing Clones for Seed Theft

A new macOS stealer campaign—internally dubbed “Nova” by researchers—has been uncovered by reverse engineer Bruce, revealing a modular malware ecosystem designed to exfiltrate cryptocurrency wallets, harvest system telemetry, and silently replace Ledger and Trezor apps with phishing clones.

According to the analysis, the attack begins with an unknown dropper that silently executes a malicious installer script named mdriversinstall.sh. As Bruce writes, “An unknown dropper fetches and runs mdriversinstall.sh, which installs a small scripts orchestrator under ~/.mdrivers and registers a LaunchAgent labeled application.com.artificialintelligence.”

From there, the malware establishes persistence, deploys a modular orchestrator, fetches additional Base64-encoded scripts from its command-and-control (C2) server, and runs them in detached screen sessions—a behavior rarely seen in macOS malware.

Once installed, the orchestrator repeatedly communicates with the attacker’s backend to retrieve malicious modules.
Bruce notes, “This orchestrator pulls additional scripts encoded in b64 from the C2, drops them under ~/.mdrivers/scripts, and runs them in detached screen sessions in the background.”

This architecture allows the operator to add, update, or remove functionality without reinfecting systems. As the report explains,  “This modular approach allows the operator to easily add, remove, or update malicious capabilities on the fly.”

The malware even checks for existing screen sessions before applying updates—cleanly killing and restarting modules as needed.

The C2 currently serves four modules:

1. mdriversfiles.sh — Crypto Wallet Exfiltration

This module is dedicated to stealing cryptocurrency data. According to the report, it exfiltrates:

• Trezor Suite IndexedDB logs
• Exodus files such as passphrase.json and seed.seco
• Ledger Live’s app.json

As Bruce states, “For each found file it POSTs the raw file to the C2 in binary form… adding the User_ID as header.”

2. mdriversmetrics.sh — System and Application Profiling

The malware collects extensive telemetry, including:

• Installed apps
• Running processes
• Wallet-related checks
• Modification time of its own components

The report notes that this module: “collects and curls a bunch of data about the system and its usage.”

3. mdriversswaps.sh — Wallet App Replacement (Phishing Swap Attack)

The most alarming capability involves replacing the real Ledger Live.app and Trezor Suite.app with attacker-controlled fakes.

Bruce highlights the growing trend, “Apparently, swapping crypto wallet apps to gather seed phrases is becoming a new trend in MacOS stealers developers.”

The module:

• Deletes the legitimate apps
• Edits Dock and Launchpad entries
• Downloads malicious replacement apps from attacker servers
• Persists them under user-writable directories
• This ensures victims unknowingly launch the phishing apps.

4. mdriversusers.sh — Future User-Specific Abuse

Currently minimal, this module: “loads USER_ID and periodically sleeps… maybe the plan is to use this in the future for specific users.”

The replacement apps—unsigned Swift applications using WebKit—are nearly identical, each embedding a WebView that loads a phishing page.

The phishing pages use:

• BIP-39 and SLIP-39 wordlists for auto-validation
• Auto-advance UX to simulate legitimate wallet recovery flows
• Auto-submit telemetry, sending partial seed phrases as the user types
• Continuous activity tracking via /track endpoints

The report explains, “Any keypress sends whatever has been typed so far; this lets the server reconstruct phrases as the user types and obviates the need for a final ‘submit.’”

Even subtle interactions—hover events, mouse movements—are logged: “Clicks are POSTed to /track… online activity every 10 seconds.”

This level of telemetry enables attackers to reconstruct seed phrases, passphrases, and user behavior.

Despite its modular design and persistent capabilities, Bruce points out the malware is not especially stealthy: “It’s not a complex threat… the fact that it leaves artifacts on the disk makes it easily detectable, but still interesting for some design choices.”

However, its ability to replace trusted wallet applications, paired with live phishing pages controlled remotely, makes the threat highly dangerous for cryptocurrency holders.

Related Posts:

• Nova Act Unveiled: Amazon’s AI Web Assistant Arrives
• Google Play Store Alert: New Phishing Apps Bypass Security, Stealing Crypto Wallet Seeds
• Malicious Packages Stealing Crypto Credentials: A Warning for Developers
• Crypto Tax Scam Sweeps Europe: Fake Government Sites Drain Wallets Via Seed Phrase Theft & Malicious Web3
• First Ever: Android Baohuo Backdoor Hides in Telegram X Clone, Uses Redis Database for C2 Commands