A gloved hand reaches for two black devices on a
Crypto

SlowMist details macOS infostealer that reuses Telegram Desktop sessions to reach wallets

The chain pairs Telegram session takeover with Keychain and wallet-data harvesting, enabling offline decryption or fake Ledger/Trezor apps.

By AI News Crypto Editorial Team4 min read

SlowMist disclosed a macOS information-stealing malware that can hijack Telegram Desktop by copying and reusing already-authenticated local session data. The same campaign is designed to pivot from stolen credentials into multi-wallet theft via offline decryption attempts or fake Ledger and Trezor applications.

Key Takeaways

  • A macOS infostealer can take over Telegram Desktop by copying authenticated local session data and restoring it on another Mac.
  • Telegram’s two-step verification does not stop this specific takeover path when an attacker reuses an existing session artifact.
  • The malware harvests macOS Keychain secrets, Safari cookies, Apple Notes, Telegram Desktop data, and wallet databases tied to more than a dozen wallets.
  • Stolen wallet access can be monetized either by offline decryption using harvested passwords or by swapping in fake Ledger Live and Trezor Suite apps to capture recovery phrases.

SlowMist Reproduces Telegram Desktop Session Reuse on macOS

SlowMist said it reproduced an attack chain in an isolated environment where a macOS infostealer hijacks Telegram Desktop without performing a fresh login. The mechanism is session reuse: the malware copies local Telegram Desktop session data that already represents an authenticated state, then that session state can be restored on another Mac.

In tests, researchers restored stolen Telegram Desktop session data on another Mac without entering a phone number, verification code or two-step verification password. That detail matters for operational security because it frames Telegram two-step verification as a login hardening layer, not a defense against a compromised endpoint where session artifacts can be exfiltrated.

SlowMist summarized the limitation directly: “Telegram two-step verification does not prevent the attack because the malware reuses an authenticated local session instead of creating a new login.”

How the Infostealer Harvests Keychain, Cookies, Notes, and Wallet Databases

The campaign is not narrowly built around Telegram. SlowMist described a broad macOS data sweep that pulls from the macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop, and databases associated with more than a dozen cryptocurrency wallets.

After collecting passwords and authenticated sessions, the malware copies users’ authenticated Telegram Desktop session data, wallet databases and browser wallet extension data. The target set spans multiple custody styles, suggesting the operator is optimizing for whatever is present on a victim’s Mac rather than betting on one wallet type.

SlowMist said the malware targets software wallets including Exodus, Atomic, Electrum, Wasabi and Monero. It also goes after hardware wallet companion apps, naming Ledger Live and Trezor Suite, and searches for wallet data stored by full-node clients including Bitcoin Core, Litecoin Core, Dash Core and Dogecoin Core.

Two Theft Paths: Offline Wallet Decryption vs Fake Ledger/Trezor Apps

SlowMist outlined two distinct monetization paths once the data is harvested.

The first is direct wallet-file compromise. Attackers can attempt to decrypt stolen wallet databases offline using passwords harvested from the infected device. That turns a one-time endpoint compromise into a longer-lived cracking attempt that no longer requires access to the victim’s machine.

The second is recovery-phrase capture through app replacement. SlowMist said attackers can replace legitimate Ledger and Trezor applications with fake versions that trick users into entering their recovery phrases. A seed phrase is total control, so this path is designed to bypass the protections users expect from hardware wallets by targeting the companion software and the user’s behavior.

What Would Confirm Wider Risk: IOCs, Infection Vector, and Follow-on Telegram Abuse

The excerpt did not include a malware family name, operator attribution, indicators of compromise such as hashes, domains, or file paths, or any victim counts. Those gaps are the difference between a contained technique write-up and a campaign traders can actively hunt for across fleets.

The next confirming signals are straightforward. First, whether SlowMist or other researchers publish IOCs or a family label that allows defenders to cluster cases. Second, disclosure of the distribution vector, including whether the initial infection is coming from trojanized apps, phishing, or malvertising, and whether it is being aimed at crypto-heavy Telegram circles.

Third, any follow-on incident reports that explicitly cite restored Telegram Desktop sessions as the access method, rather than new logins. Fourth, updates from Telegram Desktop, Ledger Live, or Trezor Suite that address session-artifact reuse or the app-replacement pattern.

Why Telegram Session Control Is a Trading-Workflow Risk Multiplier

I treat this as a workflow risk, not just an account-security footnote. Telegram Desktop is where deal flow, OTC intros, and “quick confirm” operational messages happen, and session control gives an attacker a credible voice inside that channel.

The threshold that matters is whether this evolves from a single reproduced chain into a named family with IOCs and a known distribution path. If that holds, the setup starts to look structural rather than narrative-driven because Telegram session reuse plus multi-wallet harvesting creates multiple independent ways to reach funds, even after a user rotates passwords.

Sources