Bybit Security Team Exposes New macOS Malware Campaign Targeting Developers
In a pioneering move, Bybit, the world’s second-largest cryptocurrency exchange by trading volume, has unearthed details about a clever malware campaign that specifically targets macOS users searching for the Claude Code, a modern AI-driven development tool from Anthropic. The intricate operation, revealed by Bybit’s Security Operations Center (SOC), highlights an urgent and sophisticated threat to the cryptocurrency community and developers in particular.
The malware campaign was first detected in March 2026 and used search engine optimization (SEO) manipulation to boost a malicious domain to the top of Google search results. Unsuspecting users searching for the Claude Code were directed to a counterfeit installation page designed to closely mimic legitimate documentation. This initial deception led to a two-stage attack aimed at stealing user credentials, targeting crypto assets, and maintaining ongoing access to compromised systems.
Initially, the malware was delivered via a Mach-O dropper, introducing an osascript-based information stealer similar to well-known malware variants identified previously. This malicious act involved a multi-phase strategy that extracted sensitive information, including browser credentials, macOS Keychain entries, Telegram sessions, VPN profiles, and information from cryptocurrency wallets. The data was siphoned from more than 250 browser-based wallet extensions and several desktop wallet applications, demonstrating the severity of the threat.
The follow-up attack included a second-stage payload featuring a C++-based backdoor equipped with advanced evasion mechanisms. This backdoor could detect when it was operating in a virtualized environment and encrypted its runtime configurations to escape detection. Furthermore, it maintained a persistent presence on infected systems through system-level agents, allowing attackers remote command execution through HTTP polling, thus giving them continued control over the compromised devices.
Bybit’s SOC effectively utilized AI-assisted workflows throughout the malware analysis process. This innovation notably sped up the response time without sacrificing thoroughness. Preliminary analysis and classification of the malware were completed in mere minutes, while advanced AI models quickly flagged its similarities to previously identified malware families. The utilization of AI for reverse engineering also played a pivotal role; it minimized the time for in-depth inspection of the second-stage backdoor from an estimated six to eight hours down to under 40 minutes. The integration of automated extraction techniques enabled researchers to uncover crucial indicators of compromise (IOCs), which included command-and-control infrastructure, file signatures, and behavioral patterns correlating with established threat frameworks. This efficient methodology allowed Bybit to implement detection measures within the same day.
According to David Zong, Head of Group Risk Control and Security at Bybit, the rapid analysis and sharing of the findings are critical in fortifying defenses within the cryptocurrency sector. “Being among the first crypto exchanges to disclose details about such malware campaigns signifies a vital step in collective security enhancement throughout our industry,” he remarked. Zong emphasized the importance of an adaptive approach to security, stating, “We are entering a new era in cybersecurity—the imminent threat of an AI war. We must utilize AI itself as a defense mechanism against adversaries also employing AI.”
As the investigation unfolded, it unveiled a variety of social engineering tactics. These included fake macOS prompts designed to solicit user passwords and conceptualize cached credentials. In some instances, attackers attempted to replace genuine crypto wallet applications like Ledger Live and Trezor Suite with treasonous versions hosted on dangerous networks. The malware infiltrated diverse environments, targeting Chromium-based browsers, Firefox variants, Safari data, Apple Notes, and local directories where sensitive financial or authentication data might be stored.
Bybit proactively identified multiple web domains and command-and-control endpoints linked with this campaign, all of which were promptly neutralized for public safety. Analysis of the attack revealed that the perpetrators relied on intermittent HTTP polling mechanisms rather than enduring connections, complicating the detection process.
This incident underscores an emerging trend of malicious actors honing in on developers by manipulating search results as interest in AI tools escalates. Given their access to codebases and financial systems, developers pose high-value targets for these types of attacks. Bybit revealed that the malevolent infrastructure was identified on March 12, with complete analysis, mitigation, and detection strategies implemented the very same day. The public announcement was made on March 20, accompanied by thorough detection guidelines for the broader community.
Bybit aims to continue strengthening its commitment to cybersecurity by advancing AI investments, promising minute-level threat detection and automated, intelligent emergency responses for the future. This commitment stands as a beacon for the industry as developers and users alike navigate an increasingly complex digital environment.
The malware campaign was first detected in March 2026 and used search engine optimization (SEO) manipulation to boost a malicious domain to the top of Google search results. Unsuspecting users searching for the Claude Code were directed to a counterfeit installation page designed to closely mimic legitimate documentation. This initial deception led to a two-stage attack aimed at stealing user credentials, targeting crypto assets, and maintaining ongoing access to compromised systems.
Initially, the malware was delivered via a Mach-O dropper, introducing an osascript-based information stealer similar to well-known malware variants identified previously. This malicious act involved a multi-phase strategy that extracted sensitive information, including browser credentials, macOS Keychain entries, Telegram sessions, VPN profiles, and information from cryptocurrency wallets. The data was siphoned from more than 250 browser-based wallet extensions and several desktop wallet applications, demonstrating the severity of the threat.
The follow-up attack included a second-stage payload featuring a C++-based backdoor equipped with advanced evasion mechanisms. This backdoor could detect when it was operating in a virtualized environment and encrypted its runtime configurations to escape detection. Furthermore, it maintained a persistent presence on infected systems through system-level agents, allowing attackers remote command execution through HTTP polling, thus giving them continued control over the compromised devices.
Bybit’s SOC effectively utilized AI-assisted workflows throughout the malware analysis process. This innovation notably sped up the response time without sacrificing thoroughness. Preliminary analysis and classification of the malware were completed in mere minutes, while advanced AI models quickly flagged its similarities to previously identified malware families. The utilization of AI for reverse engineering also played a pivotal role; it minimized the time for in-depth inspection of the second-stage backdoor from an estimated six to eight hours down to under 40 minutes. The integration of automated extraction techniques enabled researchers to uncover crucial indicators of compromise (IOCs), which included command-and-control infrastructure, file signatures, and behavioral patterns correlating with established threat frameworks. This efficient methodology allowed Bybit to implement detection measures within the same day.
According to David Zong, Head of Group Risk Control and Security at Bybit, the rapid analysis and sharing of the findings are critical in fortifying defenses within the cryptocurrency sector. “Being among the first crypto exchanges to disclose details about such malware campaigns signifies a vital step in collective security enhancement throughout our industry,” he remarked. Zong emphasized the importance of an adaptive approach to security, stating, “We are entering a new era in cybersecurity—the imminent threat of an AI war. We must utilize AI itself as a defense mechanism against adversaries also employing AI.”
As the investigation unfolded, it unveiled a variety of social engineering tactics. These included fake macOS prompts designed to solicit user passwords and conceptualize cached credentials. In some instances, attackers attempted to replace genuine crypto wallet applications like Ledger Live and Trezor Suite with treasonous versions hosted on dangerous networks. The malware infiltrated diverse environments, targeting Chromium-based browsers, Firefox variants, Safari data, Apple Notes, and local directories where sensitive financial or authentication data might be stored.
Bybit proactively identified multiple web domains and command-and-control endpoints linked with this campaign, all of which were promptly neutralized for public safety. Analysis of the attack revealed that the perpetrators relied on intermittent HTTP polling mechanisms rather than enduring connections, complicating the detection process.
This incident underscores an emerging trend of malicious actors honing in on developers by manipulating search results as interest in AI tools escalates. Given their access to codebases and financial systems, developers pose high-value targets for these types of attacks. Bybit revealed that the malevolent infrastructure was identified on March 12, with complete analysis, mitigation, and detection strategies implemented the very same day. The public announcement was made on March 20, accompanied by thorough detection guidelines for the broader community.
Bybit aims to continue strengthening its commitment to cybersecurity by advancing AI investments, promising minute-level threat detection and automated, intelligent emergency responses for the future. This commitment stands as a beacon for the industry as developers and users alike navigate an increasingly complex digital environment.
Topics Consumer Technology)
【About Using Articles】
You can freely use the title and article content by linking to the page where the article is posted.
※ Images cannot be used.
【About Links】
Links are free to use.