Login
Sign Up
Woofun AI reports that a sophisticated macOS information-stealing malware has emerged, capable of hijacking Telegram Desktop sessions to compromise cryptocurrency holdings. This threat, detailed by blockchain security firm SlowMist, operates by harvesting authenticated session data rather than forcing new logins, thereby bypassing standard security protocols.
The malware’s data harvesting scope is extensive, targeting the macOS Keychain, Safari cookies, and Apple Notes alongside Telegram Desktop databases. It specifically seeks out wallet databases and browser extension data from over a dozen applications. Per Woofun AI, the attack vector includes software wallets such as Exodus, Atomic, Electrum, Wasabi, and Monero, as well as hardware wallet interfaces like Ledger Live and Trezor Suite.
Additionally, it scans for data stored by full-node clients including Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core.
Structurally, the attack chain exploits the reuse of local authenticated sessions, rendering Telegram’s two-step verification ineffective. Attackers do not require a phone number, verification code, or two-step verification password to restore stolen session data on a new device. Once access is gained, the malware attempts offline decryption of wallet databases using harvested passwords or replaces legitimate Ledger and Trezor applications with fake versions designed to trick users into revealing their recovery phrases.
Remediation requires immediate action for potentially compromised devices. Users must terminate existing Telegram sessions, establish a new trusted login, and update both their two-step verification password and Telegram Desktop Passcode.
Furthermore, generating a new recovery phrase on a clean device and transferring all assets to new addresses is critical to securing funds.