Friday, May 23, 2025
HomeCyber Security NewsPoseidon Stealer Targets Mac Users via Fake DeepSeek Website

Poseidon Stealer Targets Mac Users via Fake DeepSeek Website

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers uncovered a sophisticated malware campaign targeting macOS users through a fraudulent DeepSeek.ai interface.

Dubbed “Poseidon Stealer,” this information-stealing malware employs advanced anti-analysis techniques and novel infection vectors to bypass Apple’s latest security protocols, marking a significant escalation in macOS-focused threats.

Infection Vector and Social Engineering Tactics

The attack begins with malvertising campaigns redirecting users to deepseek.exploreio[.]net, a near-perfect replica of the legitimate DeepSeek.ai platform.

- Advertisement - Google News
Fake DeepSeek site
Fake DeepSeek site

 

Unsuspecting victims clicking the “Start Now” button trigger a download sequence for a malicious disk image file named DeepSeek_v.[0-9].[0-9]{2}.dmg hosted on manyanshe[.]com.

 Alternate payload delivery via terminal command
 Alternate payload delivery via terminal command

Upon mounting the DMG, users encounter instructions to drag a file labeled “DeepSeek.file” into Terminal for installation.

This technique exploits macOS’s shell script execution permissions, bypassing GateKeeper protections enhanced in macOS Sequoia that previously blocked unsigned applications via traditional launch methods. 

eSentire analysts note this Terminal-based execution method represents an emerging trend among macOS threat actors: “The shift towards command-line interface abuse reflects adversaries’ adaptation to tightened security controls in recent Apple updates”.

Anti-debug via ptrace()
Anti-debug via ptrace()

Technical Analysis of Payload Execution

The shell script (DeepSeek.file) employs multi-stage Base64 encoding to obscure its malicious intent. When decoded, the script performs:

cp "/Volumes/DeepSeek/.DeepSeek" "/tmp/.DeepSeek"

xattr -c "/tmp/.DeepSeek"

chmod +x "/tmp/.DeepSeek"

/tmp/.DeepSeek

This sequence copies the malware binary to a temporary directory, strips security attributes, grants execution privileges, and launches the payload.

The stealer incorporates multiple anti-debugging measures, including:

  1. PT_DENY_ATTACH via ptrace() to block debugger attachment
  2. sysctl() Process Tracing Checks monitoring for P_TRACED flags
  3. Username Blocklisting targeting researchers (“maria”, “jackiemac”, etc.)1
if ((kp_proc.p_flag & P_TRACED) != 0) {

    exit(1);

}

Data Exfiltration Capabilities

Poseidon exhibits comprehensive data harvesting capabilities, targeting:

  • Browser Data: Cookies, passwords, credit cards from Chrome/Firefox
  • Cryptocurrency Wallets: Private keys from Ledger Live, Trezor Suite, Electrum
  • Documents: TXT, PDF, DOCX files from Desktop/Documents
  • Keychain: Full export of /Library/Keychains/login.keychain-db

A deceptive password prompt validates credentials via AppleScript before proceeding with data collection:

Display dialog “macOS needs your password to continue…” default answer “” with hidden answer

Password dialog
Password dialog

All exfiltrated data gets compressed and transferred via cURL to 82.115.223[.]9/contact using POST requests. 

 Harvested files ready for exfil
 Harvested files ready for exfil

Security teams analyzing intercepted payloads observed structured archive formats containing separate directories for browser data, financial documents, and system metadata.

Mitigation Strategies

Organizations should implement:

  1. User education on unexpected Terminal usage during software installation
  2. Endpoint detection rules monitoring osascript execution chains
  3. Network filtering for connections to the identified C2 IP
  4. Regular audits of browser extensions and cryptocurrency wallet applications

The emergence of macOS-specific malware-as-a-service offerings like Poseiden Stealer highlights the growing profitability of Apple ecosystem attacks.

With threat actors investing in advanced macOS reverse engineering capabilities, security teams must prioritize monitoring unconventional execution patterns even on traditionally “secure” platforms.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...