Session Cookies, Keychains, SSH Keys and More | 7 Kinds of Data Malware Steals from macOS Users

The scourge of ransomware attacks that has plagued Windows endpoints over the past half decade or so has, thankfully, not been replicated on Mac devices. With a few unsuccessful exceptions, the notion of locking a Mac device and holding its owner to ransom in return for access to the machine and its data has not yet proven an attractive proposition for attackers.

However, the idea of stealing valuable data and then monetizing it in nefarious ways is a tactic that is now common across platforms. On macOS, threat actors will quietly exfiltrate session cookies, keychains, SSH keys and more as malicious processes from adware to spyware look to harvest data that can be recycled and sold on various underground forums and marketplaces, or used directly in espionage campaigns and supply chain attacks.

In recent posts, we have looked at how threat actors deliver payloads to macOS targets and how they attempt to evade detection. In this post, we look at the data assets targeted by macOS malware in some of the most recent in-the -wild incidents in order to help defenders better protect the enterprise and hunt for signs of compromise.

1. Session Cookies

One of the top targets for observed macOS malware are session cookies stored on user’s devices. For convenience and productivity, browsers and many enterprise apps that are designed to work across devices, such as Slack, TeamViewer, Zoom and similar, allow the user to remain logged in until they explicitly log out.

The Slack App allows infinite sessions until the user explicitly logs out
The Slack App allows infinite sessions until the user explicitly logs out

This is achieved by storing a session cookie on the device. In the event that a process or user copies and steals those cookies, they can use them on a different device to log in without authentication.

The theft of session cookies from a Mac computer was implicated in the recent CircleCI breach. According to CirlceCI’s public statement:

“To date, we have learned that an unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session. This machine was compromised on December 16, 2022. The malware was not detected by our antivirus software. Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.

Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys”.

Session cookies can be stored anywhere, but typically they are in locations which can be accessed by the user or a process running as the user. Some locations, such as the User’s Library Cookies folder, may be restricted by TCC unless the parent process has Full Disk Access or uses one of the many known TCC bypasses. Real world attacks (e.g., XCSSET) and researchers have consistently shown that TCC, while often a nuisance to users, does not present a significant obstacle to attackers.

Here are some common examples of locations that store session cookies on macOS:


Chrome:  ~/Library/Application Support/Google/Chrome/Default/Cookies
Firefox: ~/Library/Application Support/Firefox/Profiles/[Profile Name]/
Slack :  ~/Library/Application Support/Slack/Cookies (file) 
	 ~/Library/Application Support/Slack/storage/*
         ~/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/storage

An excellent post on abusing Slack and session cookies for offensive security was written by Cody Thomas here.

In addition, encrypted and unencrypted databases associated with enterprise software can also be targeted by criminals and crimeware. Weakly encrypted databases may be decryptable with a little work and knowledge of the user’s password, often scraped by malware installers upon initial compromise. Zoom’s encrypted database, for example, is targeted by the Pureland infostealer.

Pureland Infostealer searches for Zoom encrypted database, among other items
Pureland Infostealer searches for Zoom encrypted database, among other items
~/Library/Application Support/
Pureland Info Stealer hosted on Dropbox (Source: VirusTotal)
Pureland Info Stealer hosted on Dropbox (Source: VirusTotal)

2. Login Keychain

Perhaps prized above all data on a user’s Mac is the user’s keychain, an encrypted database used to store passwords, authentication tokens and encryption keys. The keychain uses strong encryption that can’t be broken simply by stealing the database or even accessing the computer. However, the weakness of the keychain is that its secrets can all be unlocked if the attacker knows the user’s login password. If that password is weak, easily guessable, or – as is most common – voluntarily given up to a malicious process by request, the strength of the keychain’s encryption is entirely irrelevant.

Unsurprisingly, malware authors are known to target exfiltrating the keychain database. Recent examples include DazzleSpy and a threat that was initially reported on by researchers at Trend Micro last November and dubbed, appropriately enough, KeySteal. Apple belatedly added detections for KeySteal in XProtect v2166 and XProtectRemediator released in March 2023.

KeySteal targets files with the .keychain and keychain-db file extensions in the following locations:

The deviceIdentityServerVerify function serves to enumerate keychains on the victim device
The deviceIdentityServerVerify function serves to enumerate keychains on the victim device

The keychain is then base64-encoded and encrypted by means of an open-source Chinese crypto library called JKEncrypt, a “home-rolled” cryptographic function that uses the legacy (and largely discouraged) 3DES (triple DES) algorithm.

3. User Login Password

As noted, a user’s login keychain is of little use to an unauthorized party unless they also possess the login user’s passwords, and as login passwords serve as either necessary or sufficient authentication for almost every other operation on a Mac device, they are highly sought after by threat actors.

Password theft can be accomplished in a number of ways: through spoofing, through keylogging or simply by asking for authorization for some trivial task and using that authorization for something more nefarious.

Malware will typically ask a victim to elevate privileges so that it can install a privileged executable that will subsequently run as root and accomplish whatever tasks the attacker has in mind; often, LaunchDaemons are used for this. A good example of this TTP is seen in the CloudMensis/BadRAT spyware discovered independently by both ESET and Volexity.

CloudMensis/BadRAT achieves privilege escalation by requesting permissions from the user on install (source: VirusTotal)
CloudMensis/BadRAT achieves privilege escalation by requesting permissions from the user on install (source: VirusTotal)

In the case of Pureland InfoStealer, it presents the user with a dialog alert to capture the user’s password and uses that to unlock the Keychain via the SecKeychainUnlock API.

Pureland Infostealer grabs the user’s password to unlock the keychain
Pureland Infostealer grabs the user’s password to unlock the keychain

4. Browser Passwords & Data

Many macOS users continue to take advantage of browsers to store website login credentials and passwords. These and other useful data such as sites where the user has filled in login credentials, browser history, search history and download history are all of interest to threat actors.

Pureland infostealer provides another recent example, though XLoader, ChromeLoader and a variety of other macOS malware and adware also targets browser data. Pureland executes the following command as part of its getChromeSSPass function.

security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}' > /Users/
Strings related to Chrome data theft in Pureland Infostealer
Strings related to Chrome data theft in Pureland Infostealer

The malicious process needs to have elevated privileges and bypass the usual TCC controls in order to succeed; otherwise, the user will be alerted to the attempt by at least one authentication prompt.

The security command line tool requires authentication
The security command line tool requires authentication

5. SSH Keys

In late 2021, users of Chinese search engine Baidu were targeted with a number of trojanized versions of popular networking and admin tools, including iTerm2, SecureCRT, MS Remote Desktop for Mac and Navicat15. The malware came to be known as OSX.Zuru and included among its components a Python script that it dropped at /tmp/

Python component of OSX.Zuru (/tmp/
Python component of OSX.Zuru (/tmp/
shutil.copytree(ssh, foldername + '/ssh')

The script copied and exfiltrated a number of items, among which were any SSH keys located on the victims’ device.

In May 2022, macOS Rust developers were targeted in the CrateDepression typosquatting attack. CrateDepression involved infecting users who had the GITLAB_CI environment variable set on their devices, indicating the attacker’s interest in Continuous Integration (CI) pipelines for software development.

Successful compromise of a host device led to a Poseidon payload, which among other things, could search for and exfiltrate SSH keys.

Poseidon agent hunts for SSH and AWS keys on the compromised device
Poseidon agent hunts for SSH and AWS keys on the compromised device

It is also worth noting that aside from malware that hardcodes SSH data theft, any backdoor RAT that has the ability to execute commands and upload files to a remote server can hunt for SSH keys.

Possession of a victim’s SSH keys could allow attackers to authenticate themselves on the victim’s system. The SSH folder may also contain configuration files that allow access to other accounts on the same system or other systems on the same network.

In addition to stealing SSH keys, if an attacker can gain write access to the SSH folder, they can also drop their own authorized keys to allow backdoor remote access.

6. Serial Number, Hardware, & Other Environmental Info

A common behavior of many macOS malware threats is to query for and exfiltrate a variety of environmental data from the hosts. This can be used to fingerprint devices for a variety of reasons, including selective delivery of malware and execution of malware. For example, a C2 can be automated to deliver malware specific to a particular platform (macOS, Linux, Windows) and even to a specific version of that platform.

Custom malware can be delivered that exploits vulnerabilities in one OS version but not another. Similarly, a threat actor may distribute malware to a wide variety of victims, such as through malvertising or poisoned downloads, but only deliver the payload to very specific victims whose environment matches that the attacker is interested in (see the discussion of CrateDepression above).

If an attacker has advanced knowledge of the target’s environment, such as the device UUID or user account name, they can create a hash of that information and only execute if the infected device’s information matches. This kind of selective delivery and execution allows threat actors to spread their disposable malware droppers widely while keeping their specialized payloads out of sight.

DazzleSpy provides a good example of this technique. The malware polls its environment for a great deal of environmental data.

DazzleSpy surveils its host environment in great detail
DazzleSpy surveils its host environment in great detail
DazzleSpy Method System/API Call
method.MethodClass.getDiskSystemSize Uses NSFileManger’s defaultManager to grab NSFileSystemSize from attributesOfFileSystemForPath
method.MethodClass.getAllhardwareports Shell’s out via networksetup listallhardwareports
method.MethodClass.getIPAddress getifaddrs()
method.MethodClass.clearTrace Uses NSFileManager’s removeItemAtPath to clear various logs
method.MethodClass.serialNumber Uses IOServiceGetMatchingService and IOPlatformExpertDevice to grab kIOPlatformSerialNumberKey
method.MethodClass.getSystemVersion Uses NSDictionary(contentsOfFile: “/System/Library/CoreServices/SystemVersion.plist”) and grabs the objectForKey:”ProductVersion”
method.MethodClass.getSystemDate Retrieves the time relative to Asia_Shanghai timezone
method.MethodClass.getUserName Calls NSFullUserName()
method.MethodClass.getWifiName Uses the CWWiFiClient shared instance to get the SSID property from interface()
DazzleSpy disassembly for discovering the victim’s Wifi client SSID
DazzleSpy disassembly for discovering the victim’s Wifi client SSID

7. Pasteboard Contents

The pasteboard or clipboard as it’s more generally known, stores text, images and other data in memory when the user executes the copy function available in applications and system-wide via the keyboard hotkey “Cmd-C”.

The pasteboard is attractive to malware authors as a target for data such as passwords, cryptocurrency addresses and other data either to steal or to replace. For example, some cryptocurrency stealers will monitor for the user copying a wallet address to the pasteboard and then replace it with one belonging to the attacker.

Grabbing and writing to the pasteboard is relatively easy as Apple provides the Foundation framework NSPasteboard APIs as well as the Unix command-line utilities pbcopy and pbpaste for this very purpose.

A good example of Pasteboard leverage is provided by the EggShell RAT. This customized version was used in XcodeSpy malware.

The getPasteBoard function in the EggShell RAT used in XcodeSpy
The getPasteBoard function in the EggShell RAT used in XcodeSpy

XLoader similarly uses NSPasteboard, but attempts to hide the strings on the stack.

Stack strings seen in Xloader Info Stealer on macOS
Stack strings seen in Xloader Info Stealer on macOS

Mitigations and Opportunities for Detection

As Macs have become increasingly popular in the enterprise among leadership and development teams, the more important the data stored on them is to attackers.

Mitigations for all these kinds of attacks begin with an endpoint security solution that can both block known and unknown malware and also offer security teams visibility into what is happening on the device.

Threat hunters should regularly monitor for processes attempting to access keychain, SSH and other file paths discussed above.

SentinelOne customers can take advantage of PowerQuery and STAR rules to rapidly hunt for and alert on suspicious events relating to sensitive user data.

Although macOS’s TCC mechanism leaves much to be desired, it is nevertheless important to keep macOS endpoints up to date as Apple regularly patches TCC and other vulnerabilities reported by researchers as well as those actively seen in the wild.


Stealing data is not the only objective malware and malware authors may have in mind, but it is usually involved somewhere along the chain of compromise, either as a means to an end or an end in itself. On macOS, data protection has become increasingly important as the platform has gained popularity in enterprise environments.

Awareness of the kind of data recent malware targets and the ways in which that data is accessed by malicious processes is a crucial part of better equipping security teams to defend the organization’s assets.

If you would like to learn more about how SentinelOne Singularity and its native architecture agent can protect your macOS fleet, contact us or request a free demo.

Indicators of Compromise



EggShell RAT



Pureland InfoStealer