Banshee 3.0 macOS Stealer Evades Gatekeeper Using Stolen Apple Developer Signatures

Check Point Research has published a detailed analysis of Banshee 3.0, the latest iteration of the Banshee macOS information stealer. Most notably, the samples analyzed were signed with valid Apple Developer ID certificates—apparently stolen from legitimate developers—allowing the malware to bypass macOS Gatekeeper protections at initial execution.

What is Banshee?

Banshee is a macOS-specific information stealer that first emerged in 2024 as a subscription-based Malware-as-a-Service (MaaS) offering on Russian cybercrime forums, priced at approximately $3,000 per month. Version 3.0 represents a major technical update.

Distribution Method

Banshee 3.0 was distributed through a coordinated campaign using trojanized versions of legitimate macOS applications hosted in GitHub repositories. Applications used as lures include: a cracked version of CleanMyMac X, a counterfeit AI Writing Assistant app, a fake VPN application mimicking NordVPN, and a pirated copy of Notion. The repositories were advertised through targeted posts on Reddit, X (Twitter), and niche developer Discord servers.

Technical Capabilities

Banshee 3.0 includes:

Browser Data Theft: Extracts saved passwords, cookies, history, and autofill data from all major macOS browsers including Safari, Chrome, Firefox, Brave, and Tor Browser. For Safari, it exploits macOS Keychain access granted to the Safari application.

Cryptocurrency Wallet Extraction: Targets over 50 browser extension-based cryptocurrency wallets including MetaMask, Phantom, Coinbase Wallet, and Ledger Live, as well as desktop Exodus and Electrum wallet applications.

macOS Keychain Exfiltration: The malware presents a fake system prompt requesting the user's macOS password. If entered, it uses the credentials to export the entire macOS Keychain to a compressed archive for exfiltration.

System Profiling: Collects hardware UUID, installed application list, running processes, and network configuration.

Anti-Analysis: Implements environment checks to detect VMware, Parallels, and VirtualBox; terminates on detection.

Code Signing Abuse

Banshee 3.0 was signed with at least three different stolen Apple Developer certificates. Apple has revoked all identified certificates, and macOS systems with up-to-date XProtect signatures now detect and block the known samples.

Indicators of Compromise

Check Point has published a full list of IOCs including file hashes, C2 domains, and known signing certificate serial numbers in their threat intelligence portal.