Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

MetaStealer: An insidious cyber threat

We take a closer look at the insidious MetaStealer that can move into your systems without your anti-virus programs detecting it.

01-12-2023 - 9 minute read. Posted in: malware.

MetaStealer: An insidious cyber threat

MetaStealer Malware: A stealthy cyber threat targeting macOS users

Cybersecurity threats are becoming more advanced and frequent, pushing both individuals and organizations to strengthen their digital defenses. One of the most dangerous and elusive threats in recent years is MetaStealer.

MetaStealer is a highly advanced form of macOS malware designed to infiltrate systems and steal sensitive information without being detected. This malware often masquerades as legitimate software, such as Adobe Photoshop, to deceive users. By using deceptive file names and official descriptions, it lures victims into executing malicious files, making it a notorious information stealer, or infostealer, known for its ability to evade traditional security measures and operate silently in the background.

Introduction to the threat

MetaStealer malware is a new and emerging threat targeting macOS users, particularly business users. This type of malware is designed to steal sensitive information, including saved passwords, keychain contents, and files from compromised systems. MetaStealer is a Go-based infostealer that uses social engineering tactics to trick victims into launching malicious payloads. The malware is often distributed through malicious application bundles contained in disk image format (.dmg) and can be found on torrent sites or suspicious third-party software distributors as cracked versions of popular software.

Learn more about how cybercriminals use social engineering to manipulate victims and gain unauthorized access.

What is MetaStealer malware?

MetaStealer is a type of malware created to perform cyber espionage and steal data from macOS systems. It focuses on extracting confidential information such as login credentials, banking details, private documents, and other valuable data from infected devices. What makes MetaStealer notable among recent malware is its explicit targeting of business users with the intent to exfiltrate high-value data from their iCloud Keychain and other sensitive information.

What makes MetaStealer particularly dangerous is its ability to remain hidden. It uses a combination of encryption, process injection, and rootkit-level tactics to bypass antivirus software and other security tools. This targeted approach to corporate users raises significant concerns about data security, as it poses risks of identity theft and financial losses while also potentially disrupting corporate operations. Once installed, it communicates with a remote server controlled by attackers to send the stolen data.

To better understand how malicious software like this operates and spreads, learn more about malware and its impact.

Origins and development

The exact origins of MetaStealer are not fully known, but it is believed to have emerged in the early 2010s. Since then, it has undergone continuous development and improvements to enhance its ability to evade detection and extract data efficiently. Some versions of MetaStealer even contain an embedded Apple Developer ID, which may deceive users into thinking the applications are legitimate.

The malware is written in the Go programming language, which is increasingly used by cybercriminals due to its performance and cross-platform compatibility. Unlike most malware that targets Windows systems, MetaStealer is specifically designed to exploit vulnerabilities in macOS. When compared to other malware targeting macOS, MetaStealer stands out due to its sophisticated use of social engineering tactics and its ability to bypass macOS security protections such as Gatekeeper. Understanding the evolving landscape of threats, including the differences and similarities with other malware, is crucial for effective detection and protection against such threats.

How MetaStealer works

MetaStealer typically spreads through phishing attacks. Victims receive emails containing malicious attachments or links disguised as legitimate files. These often appear as Adobe files or disk images with names tailored to specific industries or organizations. MetaStealer uses the macOS folder structure to disguise its malicious files, embedding harmful executables within the 'macOS folder' of application bundles to trick users into thinking they are legitimate.

When a user opens the infected file or clicks the link, the malware installs itself and begins running silently in the background. To gain execution, MetaStealer tricks users into bypassing security measures like Gatekeeper and OCSP, which are designed to protect macOS systems. From there, it uses various tactics to avoid detection and steal information from the system.

Once active, MetaStealer performs the following actions:

  • Remains hidden from antivirus and security scans

  • Maintains long-term access through persistence mechanisms

  • Communicates with a command-and-control server to exfiltrate data

  • Encrypts stolen files to prevent victims from accessing their own data

Key features of MetaStealer

MetaStealer includes several advanced functions that make it a powerful tool for cybercriminals:

  • Remote access: MetaStealer allows attackers to remotely control infected systems. They can navigate files, run commands, and even install additional malware without needing physical access to the device. MetaStealer uses an icon image to disguise itself as legitimate software, tricking users into executing the malicious application.

  • Keylogging: The malware includes a keylogger that records every keystroke made by the user. This enables attackers to capture passwords, personal messages, and any other typed content. To understand how keyloggers work and how to defend against them, read our guide on keyloggers and their cybersecurity risks.

  • Persistence: MetaStealer uses techniques that ensure it stays on the device even after restarts or security updates. This persistence makes it extremely difficult to detect and remove. The malware often hides its malicious files within the resources folder of macOS application bundles, making it appear as part of legitimate software.

macOS malware threats

The rise of MetaStealer malware highlights the growing concern of macOS malware threats. Mac users, including business users, are being proactively targeted by threat actors using fake clients and social engineering tactics to distribute malicious payloads. The use of password-protected zip files and disk image format (.dmg) has become a common method for spreading macOS malware. MetaStealer is just one example of the many malware threats targeting Mac users, and its ability to extract saved passwords and sensitive data makes it a significant concern for data security.

Targeted victims

MetaStealer primarily targets macOS users, which makes it stand out in a malware ecosystem largely focused on Windows. The malware has been used in targeted attacks on corporate networks, government agencies, healthcare institutions, and financial services. The stolen data can lead to further cybercriminal activities, potentially enabling attackers to infiltrate a larger business network and exploit sensitive information.

These sectors hold a vast amount of sensitive information, making them ideal targets for cyber espionage. In several campaigns, the malware was disguised as job descriptions, vendor contracts, or other industry-relevant documents to increase the likelihood of victims opening the files. This specific targeting strategy is aimed at luring business users by disguising the malicious software as legitimate application bundles and documents.

Impact on Mac users

The impact of MetaStealer malware on Mac users can be severe. The malware’s ability to steal sensitive information, including login credentials and sensitive data, can lead to identity theft, financial losses, and privacy breaches. Business users are particularly at risk, as the malware can compromise confidential business information and disrupt operations. The fact that MetaStealer is heavily obfuscated and can evade detection by some security software makes it a formidable threat. Mac users must be vigilant and take proactive measures to protect themselves from MetaStealer and other macOS malware threats, including using reputable antivirus software, avoiding suspicious downloads, and being cautious when handling email attachments and links.

How to protect against MetaStealer

To defend against a threat as advanced as MetaStealer, organizations must implement a comprehensive cybersecurity strategy. Key measures include:

  • Endpoint protection: Use advanced endpoint protection solutions that include antivirus, intrusion detection, and behavioral analysis. These tools help detect unusual activity that traditional antivirus may miss. MetaStealer operates without ad hoc signing, relying on user intervention to bypass security measures like Gatekeeper and OCSP.

  • Phishing and awareness training: Since MetaStealer often enters systems via phishing emails, training employees to recognize suspicious emails, links, and attachments is essential.

  • Regular software updates: Keep all systems, applications, and operating systems updated. Patching known vulnerabilities reduces the risk of exploitation by malware. Regularly updating the operating system is crucial to prevent malware like MetaStealer from exploiting vulnerabilities to steal sensitive data.

  • Network segmentation: Segmenting your network limits the ability of malware to move laterally. If one system is compromised, the damage can be contained more easily.

  • Traffic monitoring: Monitor outgoing and incoming network traffic for unusual patterns. This can help identify command-and-control communication attempts early.

The ongoing threat

MetaStealer is not just another malware strain. It represents a sophisticated and evolving threat that poses a serious risk to organizations using macOS. Its stealth, persistence, and powerful data-stealing capabilities make it one of the most concerning infostealers in circulation. The emergence of recent malware like MetaStealer specifically targeting macOS users highlights a growing trend that raises the stakes for cybersecurity.

Combating MetaStealer requires collaboration across industries. Sharing threat intelligence, response plans, and best practices helps create a stronger collective defense. MetaStealer's capabilities include extracting saved passwords from compromised systems, tapping into the keychain and other data storage mechanisms, thereby posing significant risks to user security and privacy.

Final thoughts

MetaStealer highlights the need for proactive cybersecurity strategies. By understanding how the malware operates and taking the right precautions, organizations can improve their resilience against similar threats. Threat actors are proactively targeting macOS businesses using social engineering tactics, such as posing as fake clients, to deliver malware payloads.

Cybersecurity begins with awareness. Training employees, keeping systems updated, and deploying advanced security tools are essential steps in defending against modern threats like MetaStealer. Attackers socially engineer victims into executing malicious payloads by impersonating fake clients, illustrating a strategic approach to deception. This tactic facilitates the distribution of malware, particularly the MetaStealer variant.

This post has been updated on 02-05-2025 by Sarah Krarup.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

Centre for Cybersecurity's List of Glossaries
awareness

Centre for Cybersecurity's List of Glossaries

The Centre for Cybersecurity updates its list of glossaries each year in October. This year, there were 18 new additions to the list.

21-11-2022 · 5 min.
How deepfakes can affect your business
cybercrime

How deepfakes can affect your business

Worldwide concern is growing about the negative effects that deepfakes can have on society, and for good reason.

15-08-2022 · 8 min.
What is spyware?
malware

What is spyware?

While espionage is probably something most people associate with secret agents, millions of people are digitally spied on every day.

05-05-2022 · 8 min.