
Kandji’s Threat Research team has uncovered a potential new macOS stealer named “Purrglar.” This malware, uploaded to VirusTotal in early January 2025, appears to be in development but demonstrates alarming capabilities, including exfiltrating sensitive Chrome and Exodus wallet data and querying the macOS Keychain.
Unlike traditional ransomware or viruses, stealers are stealth-focused malware designed to silently harvest sensitive data. Kandji emphasizes, “These malicious programs are highly focused on gathering personal information, usually to be sold or used for further criminal activity.” Purrglar fits this description, targeting Chrome browser cookies, saved passwords, and Exodus cryptocurrency wallet files.
One feature of Purrglar is its use of macOS’s Security Framework APIs to query the Keychain for Chrome credentials. The analysis notes, if the user inputs their password, the stealer activity will continue. If denied, the malware prompts again with a custom error message to coax the user into compliance.

Key components of Purrglar’s functionality include:
- Keychain Exploitation: Purrglar queries the macOS Keychain for Chrome Safe Storage and Exodus credentials using security APIs. If successful, it retrieves encryption keys, granting access to sensitive user data.
- Localhost Exfiltration: The stealer uploads captured data to a localhost server (http://localhost:8000/api), indicating that the malware might still be in its development phase. The stolen files include:
- Chrome cookies and saved passwords.
- Exodus wallet files, such as passphrase.json, seed.seco, and storage.seco.
- Curl-Driven File Uploads: The malware uses Curl APIs to send stolen files to designated paths. Kandji notes that each file is uploaded as a multipart/form-data object, ensuring seamless exfiltration while maintaining stealth.
While Purrglar appears to be in a testing stage—evidenced by its use of a localhost server—it still presents a significant risk. Kandji explains, “It is unclear if this application is currently in a development phase… however, there are some interesting behaviors within this application that we felt would be helpful to cover if this evolves into something more.”
Related Posts:
- Sophisticated Campaign Targets Manufacturing Industry with Lumma Stealer and Amadey Bot
- Malware Alert: Banshee Stealer Targets macOS Users
- Multi-Layered Attack: Formbook Stealer Bypasses Detection with Memory-Based Execution
- The Rise of Mac Malware: 2024 Threat Report Reveals Alarming Trends