MacOS malware hijacks Telegram sessions, targets crypto wallets: SlowMist
A new macOS malware is stealing credentials to hijack Telegram sessions and compromise cryptocurrency wallets, according to blockchain security firm SlowMist.
Intelligence analysis by Gemini 2.5 Flash

The sophisticated malware targets macOS Keychain, browser data, Apple Notes, and over a dozen crypto wallets, including both software and hardware wallet applications. It can reuse authenticated Telegram Desktop sessions to bypass two-factor authentication and trick users into revealing recovery phrases through fake applications.
Imagine a sneaky computer program that secretly peeks into your digital diary (your saved passwords) and then uses what it finds to pretend to be you on your chat app (Telegram) without needing your secret code. It also tries to find your digital piggy banks (crypto wallets) to take your money. It's like a thief who finds your house key and then uses it to get in and steal your valuables.
Analysis
Multi-faceted Attack Vector
This newly identified macOS malware represents a sophisticated threat, combining several techniques to compromise cryptocurrency assets and user accounts. According to blockchain security firm SlowMist, the malware is designed to harvest a wide array of sensitive data from infected devices. This includes credentials stored in the macOS Keychain, browsing data from Safari cookies, notes from Apple Notes, and critical information from Telegram Desktop. Crucially, it also targets databases associated with more than a dozen popular cryptocurrency wallets, encompassing both software solutions like Exodus, Atomic, Electrum, Wasabi, and Monero, as well as applications for hardware wallets such as Ledger Live and Trezor Suite. Furthermore, it seeks out wallet data from full-node clients like Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core, indicating a broad and indiscriminate approach to data exfiltration.
Telegram Session Hijacking Explained
One of the most concerning aspects of this malware is its ability to hijack authenticated Telegram Desktop sessions. Unlike typical phishing attacks that require users to enter login credentials, this malware bypasses such requirements by copying and reusing existing session data. SlowMist's research demonstrated that attackers can restore a stolen Telegram Desktop session on another Mac without needing a phone number, verification code, or even a two-step verification password. This capability allows attackers to gain full control over a user's Telegram account, enabling them to send messages, access contacts, and potentially spread malicious links or solicit funds from the victim's network, all while remaining undetected by standard security measures like 2FA.
Mitigation and Proactive Defense
Given the severity of this threat, SlowMist has issued urgent recommendations for users who suspect their devices may have been compromised. The immediate steps include terminating all existing Telegram sessions, establishing a new trusted login, and changing both the Telegram two-step verification password and Telegram Desktop Passcode. Beyond Telegram, the security firm advises generating a completely new recovery phrase on a clean, uninfected device and transferring all cryptocurrency assets to new, secure addresses. This comprehensive approach is vital for mitigating potential losses and re-establishing control over digital assets and communication channels, highlighting the ongoing need for vigilance and robust security practices in the cryptocurrency space.
Key points
- A new macOS malware targets cryptocurrency investors by stealing credentials and hijacking Telegram Desktop sessions.
- The malware collects data from macOS Keychain, Safari cookies, Apple Notes, and over a dozen crypto wallets, including Ledger Live and Trezor Suite applications.
- It can reuse authenticated Telegram sessions, bypassing two-factor authentication, and trick users into revealing recovery phrases.
- SlowMist recommends immediately terminating Telegram sessions, changing passwords, and transferring assets to new wallet addresses if compromise is suspected.
This malware could lead to significant financial losses for affected macOS users, eroding trust in the security of digital assets on this platform. The ability to bypass 2FA on Telegram also opens doors for further social engineering attacks and the spread of scams, potentially impacting a wider network of users.



