CryptoBot Malware

macOS users are being lured into fake Zoom extensions or messaging links, unwittingly installing CryptoBot—an info‑stealing Trojan that copies wallet credentials under the guise of legitimate software. It rapidly began siphoning crypto‑wallet details, browser logins, and sensitive data.

Threat Overview

Type: Trojan malware targeting macOS
Targets: Browser‑stored credentials, cryptocurrency wallets, sensitive system files

In‑Depth Analysis

Infection Vector
Delivered via deceptive social media or messaging links and fake Zoom plugin pages. The victim installs what appears to be a legitimate app—which secretly drops CryptoBot alongside Vidar.

Behavioral Profile

• Installs under /Applications as spoofed apps (e.g. “MPlayerX”).
• Executes payloads that harvest browser cookies, credentials, crypto wallets.
• May capture screenshots and export data to remote C&C servers.

Risk Assessment
The Trojan threatens high-profile assets—crypto wallets and online accounts. It’s a high-severity threat: stealthy, financially damaging, and capable of identity theft. Victims risk losing funds or having credentials exploited for further attacks.

Removal Steps

1. Disconnect from the Internet: Prevent data exfiltration.
2. Boot in Safe Mode on Mac: Hold Shift during boot.
3. Remove malicious apps manually:
   • Open Finder → Applications.
   • Locate suspicious apps (e.g. MPlayerX, NicePlayer) and trash them.
4. Check Login Items: System Preferences → Users & Groups → Login Items. Remove entries you don’t recognize.
5. Clear browser extensions & cache: Manually remove unfamiliar plugins/add-ons. This blocks hidden data-harvesting code.
6. Run a reputable anti‑malware scan: Use an on‑demand scanner different from your current AV to ensure rootkit detection.
7. Change passwords & secure wallets: Post-cleaning, reset credentials and revoke/transfer crypto funds.
8. Future precautions:
   • Avoid installing untrusted plugins.
   • Keep OS and apps updated.
   • Use strong, unique passwords and a firewall.
   • Scan new installs proactively.

Conclusion

CryptoBot trojan poses serious financial and privacy risks by stealing crypto-wallets and credentials. Early detection—via suspicious app installs or slow performance—and removal is vital. Follow structured cleanup steps and deploy robust security tools to avoid devastating losses.