The **Nova Stealer** malware campaign targets macOS users by replacing legitimate **Ledger Live** and **Trezor Suite** cryptocurrency wallet applications with malicious counterparts. The attack begins with a dropper downloading a shell script (`mdriversinstall.sh`) from a C2 server, establishing persistence via a hidden directory (`~/.mdrivers`) and a **LaunchAgent** (`application.com.artificialintelligence`). The malware operates stealthily using detached `screen` sessions, ensuring survival across reboots.Key modules include:- **`mdriversfiles.sh`**: Exfiltrates wallet data (e.g., Trezor’s `IndexedDB`, Exodus’ `passphrase.json`, Ledger’s `app.json`).- **`mdriversswaps.sh`**: Replaces genuine wallet apps with **unsigned FAT Mach-O executables** (Swift-based) that render **phishing pages** (`wheelchairmoments[.]com`, `sunrisefootball[.]com`). These pages use **BIP-39/SLIP-39 validation** to harvest **recovery phrases** (12–33 words) via keystroke logging (200–400ms debounce) and real-time tracking (`/track` endpoints).- **`mdriversmetrics.sh`**: Conducts system reconnaissance (installed apps, processes).Victims unknowingly interact with **counterfeit apps** (registered in Dock via `PlistBuddy`), leading to **full compromise of cryptocurrency assets**. The modular design allows remote updates, extending the campaign’s lifespan while evading static detection. The attack focuses on **high-value targets** (crypto users), with potential for **mass financial loss** and **irreversible asset theft** due to exposed recovery phrases.
Source: https://gbhackers.com/nova-stealer/
Ledger cybersecurity rating report: https://www.rankiteo.com/company/ledgerhq
"id": "LED5093550111925",
"linkid": "ledgerhq",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'cryptocurrency',
'location': 'global (macOS users)',
'name': 'Cryptocurrency Users (Ledger, Trezor, Exodus)',
'type': 'individuals'},
{'industry': 'cryptocurrency hardware wallets',
'name': 'Ledger',
'type': 'company'},
{'industry': 'cryptocurrency hardware wallets',
'name': 'Trezor',
'type': 'company'},
{'industry': 'cryptocurrency software wallets',
'name': 'Exodus',
'type': 'company'}],
'attack_vector': ['malicious shell script (mdriversinstall.sh) downloaded via '
'C2 (hxxps://ovalresponsibility[.]com)',
'persistent LaunchAgent '
'(application.com.artificialintelligence)',
'application swapping (replacing legitimate Ledger '
'Live/Trezor Suite with counterfeit versions)',
'phishing pages hosted on hxxps://wheelchairmoments[.]com '
'and hxxps://sunrisefootball[.]com'],
'customer_advisories': ['Users of Ledger Live, Trezor Suite, or Exodus on '
'macOS should verify application authenticity and '
'check for signs of tampering (e.g., unexpected Dock '
'icons, missing original applications).'],
'data_breach': {'data_encryption': ['none (data exfiltrated in plaintext via '
'HTTP POST)'],
'data_exfiltration': ['recovery phrases sent to /seed and '
'/seed2 endpoints',
'partial keystrokes logged with '
'200-400ms debounce',
'user activity beacons sent to /track '
'every 10 seconds'],
'file_types_exposed': ['JSON (passphrase.json, app.json, '
'seed.seco), IndexedDB, SQLite '
'(Launchpad databases)'],
'personally_identifiable_information': ['potentially linked '
'to wallet ownership '
'if recovery phrases '
'are tied to '
'identities'],
'sensitivity_of_data': 'extremely high (direct access to '
'cryptocurrency assets)',
'type_of_data_compromised': ['cryptocurrency wallet recovery '
'phrases',
'wallet configuration files '
'(passphrase.json, seed.seco, '
'app.json)',
'system reconnaissance data '
'(installed apps, processes)']},
'description': "A sophisticated new macOS malware campaign dubbed 'Nova "
"Stealer' has emerged, targeting cryptocurrency users through "
'an elaborate scheme that replaces legitimate wallet '
'applications (e.g., Ledger Live, Trezor Suite) with malicious '
'counterparts designed to harvest sensitive recovery phrases '
'and wallet data. The malware employs modular architecture, '
'detached screen sessions for stealth, and a persistent update '
'mechanism via a command-and-control (C2) server. It uses a '
"novel 'application swapping' technique to replace legitimate "
'apps with phishing versions that log keystrokes, exfiltrate '
'recovery phrases, and track user activity in real-time.',
'impact': {'brand_reputation_impact': ['potential loss of trust in '
'cryptocurrency wallet providers '
'(Ledger, Trezor, Exodus) due to '
'impersonation'],
'data_compromised': ['cryptocurrency wallet recovery phrases '
'(BIP-39/SLIP-39)',
'Trezor Suite IndexedDB files',
'Exodus wallet configuration '
'(passphrase.json, seed.seco)',
'Ledger Live app.json',
'installed applications list',
'running processes',
'wallet presence indicators'],
'identity_theft_risk': ['high (if recovery phrases are used to '
'drain wallets)'],
'operational_impact': ['unauthorized replacement of legitimate '
'applications with malicious counterparts',
'persistent background monitoring via '
'detached screen sessions',
'real-time exfiltration of keystrokes and '
'recovery phrases'],
'payment_information_risk': ['high (direct theft of cryptocurrency '
'assets)'],
'systems_affected': ['macOS systems with Ledger Live, Trezor '
'Suite, or Exodus wallets installed']},
'initial_access_broker': {'backdoors_established': ['persistent LaunchAgent '
'(application.com.artificialintelligence)',
'hidden directory '
'(~/.mdrivers) with '
'updateable scripts',
'detached screen sessions '
'for stealthy execution'],
'entry_point': 'malicious shell script '
'(mdriversinstall.sh) downloaded '
'from '
'hxxps://ovalresponsibility[.]com',
'high_value_targets': ['cryptocurrency wallet users '
'(Ledger, Trezor, Exodus)'],
'reconnaissance_period': ['extensive '
'(mdriversmetrics.sh '
'collects system/app '
'data)']},
'investigation_status': 'ongoing (analysis of artifacts and C2 '
'infrastructure)',
'lessons_learned': ['macOS malware is evolving with modular, updateable '
'designs that bypass traditional detection',
'application swapping techniques can bypass user scrutiny '
'by replacing trusted software',
'detached screen sessions and LaunchAgents provide '
'persistent, stealthy execution',
'phishing pages with BIP-39/SLIP-39 validation increase '
'credibility and harvest success rates',
'real-time keystroke logging and activity tracking enable '
'immediate exploitation of victims'],
'motivation': 'financial gain (theft of cryptocurrency via harvested recovery '
'phrases)',
'post_incident_analysis': {'corrective_actions': ['enhance macOS application '
'sandboxing to prevent '
'unauthorized replacements',
'improve detection of '
'detached screen sessions '
'and hidden directories '
'(e.g., ~/.mdrivers)',
'develop behavioral '
'signatures for modular '
'malware update mechanisms',
'collaborate with wallet '
'providers to implement '
'tamper-evident application '
'distributions'],
'root_causes': ['lack of application integrity '
'verification on macOS',
'abuse of legitimate macOS '
'features (LaunchAgents, screen '
'sessions) for persistence',
'user trust in Dock/Launchpad '
'icons as indicators of legitimacy',
'dynamic phishing pages that adapt '
'to recovery phrase formats '
'(BIP-39/SLIP-39)']},
'recommendations': ['verify cryptocurrency wallet application integrity '
'(e.g., code signing, checksums) before use',
'monitor for unusual LaunchAgents (e.g., '
'application.com.artificialintelligence) and detached '
'screen sessions',
'audit /Applications and ~/Library/LaunchAgents for '
'unauthorized modifications',
'use hardware wallets with physical confirmation for '
'recovery phrase entry',
'deploy endpoint detection solutions capable of '
'identifying process injection and screen session abuse',
'educate users on phishing risks, including fake wallet '
'applications and recovery phrase harvesting',
'block known malicious domains (ovalresponsibility[.]com, '
'wheelchairmoments[.]com, sunrisefootball[.]com)'],
'references': [{'source': 'GBHackers (GBH)'}],
'response': {'enhanced_monitoring': ['recommended: monitor for detached '
'screen sessions, unusual LaunchAgents, '
'and unsolicited application '
'replacements']},
'title': 'Nova Stealer macOS Malware Campaign Targeting Cryptocurrency Users',
'type': ['malware', 'phishing', 'data theft', 'cryptocurrency fraud'],
'vulnerability_exploited': ['user trust in legitimate cryptocurrency wallet '
'applications',
'lack of code signing verification for replaced '
'applications',
'persistent background execution via detached '
'screen sessions',
'abuse of LaunchAgents for persistence']}