In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
The macOS stealer Banshee has resurfaced with a dangerous new update. The stealer now builds off Apple’s built-in anti-malware technology, making it hard to detect and efficient in its digital heists.
Banshee has been linked to the Russian cybercriminal industry and emerged rather recently in mid-2024. In that time, the stealer has been continuously under development, leaked on GitHub, reverse-engineered, and then resurfaced with impressive capabilities.
The developers behind this stealer are also scaling their operations. They slashed the price for the malware from $3,000 last year to just $1,500 in January 2025.
On January 9, Check Point researchers released the findings of their investigation into the new version of Banshee. They explain that this new version of Banshee has been operating undetected by security vendors for the past two months.
Techopedia explores Banshee’s capabilities and how it uses Apple’s XProtect encryption and interviews experts and Apple anti-malware providers.
Key Takeaways
- The new version of Banshee targets crypto wallets, steals sensitive data, and employs social engineering tactics to trick users into compromising their systems.
- The malware’s developers have reduced the price of the stealer-as-a-service offering, indicating an intention to expand their operations and target a wider range of victims.
- Maintaining updated software, exercising caution with suspicious links and downloads, and implementing a multi-layered security approach are crucial for reducing the risk posed by Banshee and other macOS threats.
This is What the New Banshee Can Do on a Mac
The new version of Banshee is fully functional malware that can steal data and credentials from a wide range of browsers, including Chrome, Brave, Edge, Vivaldi, Yandex, and Opera.
The stealer also targets multi-factor authentication (MFA) extensions, and crypto wallets such as Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger.
But Banshee does not stop there. It also steals system information, including software and hardware running in the breached machines and IP external addresses. It can even trick users into giving away their MacOS password through fake Mac system pop-up notifications.
Identifying this malware was only possible due to a recent leak of Banshee’s source code on XXS Forums.
Check Point researchers said:
“For over two months, this updated version of Banshee successfully evaded detection by most antivirus engines until its original code was leaked on XSS forums, allowing antivirus engines to detect its core functionality.”
The Check Point report adds that once the source code was leaked, the Banshee stealer-as-a-service operation was ‘shut down’.
However, the ‘shutdown’ seemed more of an distraction technique as the criminal gang continued distribution via phishing websites that posed as legitimate software download sites.
How Does Banshee Use Apple’s XProtect Anti-Virus?
Apple’s XProtect is one of the company’s main cybersecurity technologies. It is built into all Macs and used to detect malware. XProtect uses rules similar to antivirus signatures.
These rules, ‘YARA rules,’ are created by security researchers when they discover new malware operating in the wild. Companies like Apple use these rules to identify new malware and block it, preventing it from running. Of course, this is an eternal cat-and-mouse game between criminals and cybersecurity experts.
Check Point researchers tried to develop a YARA rule for Banshee and found that their rule generated a lot of false positives. This is when they came across something impressive. Check Point explains:
“We discovered that Banshee employs the same encryption method that Apple utilizes in macOS for string encryption within its antivirus engine, XProtect.”
Using Apple’s XProtect encryption, Banshee can scramble its strings and only decrypt them during execution, becoming a master of deception and bypassing standard static detection methods.
Jaron Bradley, Director of Threat Labs at Jamf, an Apple-focused cybersecurity provider, discussed XProtect’s security rules with Techopedia:
“Banshee underscores that while Apple’s XProtect rules are effective at detecting known malware, they are closely monitored by malware authors, allowing them to adapt and evade detection in future iterations using creative methods.”
For users who have other anti-malware solutions running on their Macs, Banshee will likely trick their OS, confusing Banshee strings with Apple’s legitimate XProtect operations.
Ngoc Bui, a cybersecurity expert from Menlo Security, a browser cybersecurity company, spoke to Techopedia about how this impacts security and companies providing cybersecurity software for Apple users.
“Even leading (Endpoint Detection and Response) EDR solutions have limitations on Macs, leaving organizations with significant blind spots. We need a multi-layered approach to security, including more trained hunters on Mac environments.”
“This new Banshee Stealer variant exposes a critical gap in Mac security,” Bui said.
“While companies are increasingly adopting Apple ecosystems, the security tools haven’t kept pace,” Bui said.
Banshee is distributed via malicious GitHub repositories. Criminal campaigns using this malware often work with the Lumma Stealer, which targets Windows. This allows them to create fake websites and hack victims regardless of their OS.
How to Keep Your Mac Safe from Banshee
Fortunately, despite its advanced engineering, the Banshee stealer still depends on social engineering. This means that users need to click on suspicious links, navigate to fake software download sites, and download the malware themselves. Therefore, knowing how Banshee works should help users be more cautious when downloading files online.
Updating your Mac is also essential. As mentioned, cybersecurity researchers are constantly discovering new malware affecting Apple devices and creating security rules for these.
When Apple releases a security update, these new rules are integrated into XProtect, which is how your Mac detects dangerous activity. Therefore, always keep your Mac and all of your software up to date.
We recommend that security teams, experts, and developers check out the full Check Point report. The report includes a detailed technical analysis and Indicators of Compromise.
The Bottom Line
Banshee was already a problem in 2024. Now, with this new version, it has improved its attack success rates. The active development and distribution of this malware signal to a well-resourced and technically talented criminal-as-a-service gang.
Apple’s reputation for immune security is long gone. While enterprises worldwide adopt Apple environments, cybercriminals actively develop a wave of MacOS stealers.
FAQs
What is the Banshee stealer malware?
How does Banshee malware infect Macs?
Why is Banshee difficult to detect?
What can Banshee steal from a Mac?
How can I protect my Mac from Banshee?
What industries are most at risk from Banshee?
References
- Banshee: The Stealer That “Stole Code” From MacOS XProtect (Check Point Research)
- Jaron Bradley – Jamf (LinkedIn)
- Manage and secure Apple at work?(Jamf)
- Make every browser an enterprise browser (Menlo Security)
