SlowMist Warns macOS Malware Can Hijack Telegram Sessions and Target Crypto Wallets

SlowMist Warns macOS Malware Can Hijack Telegram Sessions and Target Crypto Wallets

Security researchers at SlowMist reported that a macOS information-stealing malware campaign can hijack authenticated Telegram Desktop sessions and combine that access with broad credential harvesting to target cryptocurrency wallets. The attack turns ordinary desktop files into a pathway for account takeover and potential fund theft.

The chain matters because it bypasses the protections many users expect from Telegram login controls. Instead of forcing a new authentication attempt, the malware reuses existing local session data, making device compromise more dangerous than a stolen password alone.

Telegram Session Files Become an Attack Vector

The malware locates and copies Telegram Desktop’s local session store, including the ~/Library/Application Support/Telegram Desktop/tdata/ directory and files such as key_datas. SlowMist reproduced the process and found that restored session files could synchronize Telegram chats without phone verification or two-step verification prompts.

That behavior makes typical two-factor controls less effective against this specific vector. The attacker is not logging in as a new user; the attacker is restoring a trusted session, creating a session-hijacking route around normal account defenses.

The campaign also harvested local secrets to improve the odds of wallet compromise. Observed techniques included fake macOS administrator prompts, extraction of macOS Keychain entries, collection of Chrome Safe Storage keys and theft of browser login, cookie and form databases, forming a multi-source credential collection pipeline.

The malware targeted Chrome, Brave, Edge, Vivaldi, Opera and Firefox data stores, including login databases, cookies, web data and Firefox credential files. It also accessed Apple Notes storage, which is especially risky because users sometimes store seed phrases, passcodes or recovery hints in local notes.

Wallet exposure was broad. SlowMist identified targeting of at least 16 local wallet applications and management clients, including Exodus, Atomic, Electrum, Wasabi, Monero and Bitcoin Core, along with companion apps such as Ledger Live and Trezor Suite, making desktop wallet environments a major focus of the malware.

The malware also searched for data tied to more than 223 wallet-related browser extension IDs. That coverage shows the campaign was designed to harvest across both standalone wallet software and browser-based crypto workflows.

Credential Correlation Raises the Theft Risk

After exfiltration, attackers can correlate candidate passwords from Keychain entries, browser stores, Apple Notes and fake prompts against encrypted wallet databases. That workflow creates an offline decryption path for stolen wallet files even when the database itself is encrypted.

The campaign also used application-replacement phishing. Legitimate hardware wallet companion apps could be removed and replaced with web-wrapper impostors that mimic official interfaces, giving attackers a direct route to harvest recovery phrases and PINs from users.

The attack chain links several macOS design assumptions into one operational risk. Local session files, encrypted wallet databases and stored secrets are each manageable in isolation, but together they create a compromise sequence from endpoint infection to Telegram takeover and wallet theft.

The incident highlights the desktop endpoint as a material attack surface. Messaging access, local credentials and wallet software often coexist on the same machine, making segregation of communication and signing environments essential.

Operational controls should include stronger endpoint detection and response, tighter limits on local credential storage and mandatory verification of wallet software before installation or updates. Teams should treat unexpected privilege prompts and replacement desktop apps as high-severity security events.

Incident response plans should assume that stolen application files can equal account control. If Telegram session artifacts or wallet databases are exposed, firms should prepare for cross-product compromise, rapid key rotation and custodial fallback, because asset access and business communications may be breached at the same time.

The broader lesson is that crypto security cannot stop at seed-phrase hygiene. For high-value users and institutions, local sessions, browser stores, Notes databases and companion wallet apps are all high-risk data surfaces, making endpoint governance a core part of digital-asset protection.

Follow Us

Ads

Main Title

Sub Title

It is a long established fact that a reader will be distracted by the readable

Ads
banner 900px x 170px