Banshee macOS Stealer Source Code Released to the Public

The source code for the Banshee stealer (Banshee Stealer), a macOS malware that appeared earlier this year and was sold on the dark web for $3,000 per month, has been leaked online. As a result, the Banshee operation has reportedly ceased. The leak was first reported by researchers at Vx-Underground, who also noted that after this incident, the operators of the MaaS (Malware-as-a-Service) platform announced the shutdown of all operations.

Details of the Leak

It is still unknown who exactly leaked the source code or why, but experts believe it may have been a disgruntled former client of the hackers. The Banshee stealer for macOS was first discovered in August 2024. At that time, analysts from Elastic Security Labs reported that it targeted both x86_64 and ARM64 architectures and attacked a wide range of browsers, cryptocurrency wallets, and about 100 browser extensions.

How Banshee Operated

Typically, the malware would steal cookies, credentials, and browsing history from infected systems (although in Safari, it could only collect cookies). Banshee was also capable of gathering system information, data from iCloud Keychain and Notes, and could detect if it was running in a virtual environment.

It is believed that Banshee was developed by Russian-speaking cybercriminals, as it used the CFLocaleCopyPreferredLanguages API to avoid attacking systems where Russian was set as the primary language.

Impact and Distribution

It remains unclear how many systems were ultimately affected by Banshee attacks or what methods were used to distribute the malware, especially since deploying malicious software on macOS is generally more complex than on Windows.