Banshee stealer evades detection using Apple XProtect encryption algo
A new version of the Banshee info-stealing malware for macOS has been evading detection over the past two months by adopting string encryption from Apple's XProtect.
Banshee is an information stealer focused on macOS systems. It emerged in mid-2024 as a stealer-as-a-service available to cybercriminals for $3,000.
Its source code was leaked on the XSS forums in November 2024, leading to the project shutting down for the public and creating an opportunity for other malware developers to improve on it.
According to Check Point Research, which discovered one of the new variants, the encryption method present in Banshee allows it to blend in with normal operations and to appear legitimate while collecting sensitive information from infected hosts.
Another change is that it no longer avoid systems belonging to Russian users.
XProtect encryption
Apple's XProtect is the malware detection technology built into macOS. It uses a set of rules, similar to antivirus signatures, to identify and block known malware.
The latest version of Banshee Stealer adopted a string encryption algorithm that XProtect itself uses to protect its data.
By scrambling its strings and only decrypting them during execution, Banshee can evade standard static detection methods.
It is also possible that macOS and third-party anti-malware tools treat the particular encryption technique with less suspicion, allowing Banshee to operate undetected for longer periods.
Stealing sensitive data
The latest Banshee stealer variant is primarily distributed via deceptive GitHub repositories targeting macOS users through software impersonation. The same operators also target Windows users, but with Lumma Stealer.
Check Point reports that while the Banshee malware-as-a-service operation has remained down since November, multiple phishing campaigns continued to distribute the malware since the source code leaked.
The infostealer targets data stored in popular browsers (e.g. Chrome, Brave, Edge, and Vivaldi), including passwords, two-factor authentication extensions, and cryptocurrency wallet extensions.
It also collects basic system and networking information about the host and serves victims deceptive login prompts to steal their macOS passwords.
Microsoft fixes OneDrive bug causing macOS app freezes
Major Vulnerabilities Patched in SonicWall, Palo Alto Expedition, and Aviatrix Controllers
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
