Banshee Malware Resurfaces on macOS with Sophisticated Anti-Detection Techniques

Banshee, a notorious macOS malware linked to Russian cybercriminal networks, has made a dangerous comeback. The latest version is designed to bypass Apple’s built-in security systems, making it harder to detect and more effective at stealing sensitive data. Over the years, Banshee has been continuously developed, leaked, and reverse-engineered, evolving into a highly sophisticated threat.

In January 2025, the malware’s creators reduced its price from $3,000 to $1,500, making it more accessible to cybercriminals. Researchers at Check Point published their findings on January 9, revealing that the new Banshee version had gone undetected by most antivirus programs for two months.

What Can the Latest Banshee Do?

The updated Banshee malware is capable of stealing passwords and data from multiple browsers, including Chrome, Edge, Brave, Opera, Vivaldi, and Yandex. Beyond browser credentials, it specifically targets cryptocurrency wallets such as Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger. Multi-factor authentication (MFA) browser extensions are also at risk.

Banshee doesn’t stop there—it also collects system data such as external IP addresses, hardware information, and details about installed applications. It can even trick users with fake macOS pop-ups to capture their system passwords.

The malware’s resurgence follows a leak of its source code on XXS Forums. While the stealer-as-a-service operation appeared to shut down after the leak, distribution continued via phishing websites and malicious GitHub repositories.

How Banshee Exploits Apple’s XProtect

XProtect is Apple’s built-in malware detection system, designed to identify and block threats on macOS. It uses signature-based rules, often called “YARA rules,” to detect known malware.

Banshee bypasses this protection by using the same string encryption methods employed by XProtect. The malware encrypts its code and decrypts it only during execution, allowing it to evade traditional detection methods.

Jaron Bradley, Director of Threat Labs at Jamf, explains, “Banshee’s developers monitor antivirus rules closely and adjust their encryption techniques with each iteration, staying one step ahead of security software.”

Ngoc Bui, a cybersecurity expert at Menlo Security, adds that Banshee can even confuse users by mimicking legitimate XProtect operations, making it harder to identify malicious activity.

How Banshee Spreads

Banshee is often distributed through phishing campaigns and malicious GitHub repositories. Cybercriminals frequently pair it with Windows malware like Lumma Stealer, allowing them to target both Mac and Windows users through fake websites.

Despite its advanced capabilities, Banshee still relies on social engineering. Users are tricked into clicking on links, downloading fake software, or visiting compromised websites, which highlights the importance of awareness in preventing infections.

Protecting Your Mac from Banshee

While Banshee is sophisticated, there are effective ways to protect your Mac:

1. Keep macOS Updated: Ensure your system has the latest XProtect definitions and security patches.

2. Avoid Suspicious Downloads: Only download apps from trusted sources like the Mac App Store or verified developer websites.

3. Use Multi-Factor Authentication: Protect accounts and cryptocurrency wallets with MFA.

4. Check Browser Extensions: Only use trusted extensions and regularly review installed add-ons.

5. Be Aware of Phishing: Recognize suspicious emails, links, and download prompts.

6. Enterprise Protections: Organizations should implement endpoint monitoring, threat intelligence, and regular vulnerability scans.

Check Point’s report provides a detailed technical analysis, including indicators of compromise, for security teams and developers.

The Growing Threat to macOS

Banshee’s return highlights that macOS is no longer immune to advanced malware. Its ability to bypass XProtect, steal sensitive information, and evade antivirus detection makes it one of the most dangerous threats for Mac users today.

The malware’s reduced price indicates that cybercriminals are looking to expand its use, targeting both individuals and businesses. As Apple devices become more common in workplaces, the risk of attacks like Banshee grows.

Conclusion

Banshee has evolved into a highly sophisticated macOS malware, capable of stealing browser credentials, cryptocurrency wallets, and system data while evading detection.

Mac users and organizations must remain vigilant: keep systems updated, avoid suspicious downloads, enable MFA, and educate users about phishing and malware tactics.

With cybercriminals continuously refining tools like Banshee, proactive security measures are essential. This malware is a stark reminder that macOS devices are not impervious to threats, and users must take cybersecurity seriously.