Phishing Campaign Uses Fake BlueWallet Website to Distribute Credential-Stealing Malware to macOS Users
Fake BlueWallet Site Targets Mac Users with Crypto-Stealing Malware
Related Entities
Organizations
Products & Tech
Full Report
Executive Summary
Security researchers have identified a phishing campaign specifically targeting macOS users of the BlueWallet cryptocurrency wallet. The campaign uses a fraudulent website, update-bluewallet.com, which is a convincing clone of the legitimate bluewallet.io site. Victims are tricked into downloading and executing a malicious AppleScript file. The malware does not exploit a software vulnerability but relies on user interaction. Once run, it acts as a comprehensive infostealer, exfiltrating passwords, browser data, and crypto wallets. It also includes a clipboard hijacking function to steal cryptocurrency during transactions.
Threat Overview
This is a classic social engineering attack that preys on users' intentions to keep their software updated. The threat actor has set up a typosquatted domain that looks legitimate and automatically serves a malicious file.
The attack flow is as follows:
- A user visits the malicious site
update-bluewallet.com. - The site automatically downloads an AppleScript file.
- The user is prompted to open the file, which launches the macOS Script Editor.
- If the user clicks the "Run" button, the malicious script executes.
This multi-step process requires significant user interaction, but the convincing nature of the website can easily fool unsuspecting victims.
Technical Analysis
The core of the attack is a malicious AppleScript, a scripting language for macOS. This is an example of Execution via User Execution (T1204).
Once executed, the malware performs several malicious actions:
- Credential Stealing (
T1555): It accesses and exfiltrates saved passwords from browsers and the macOS Keychain. - Data Theft: It searches for and steals documents and cryptocurrency wallet files from the user's home directory.
- Clipboard Hijacking (
T1115): This is the most dangerous component. The malware continuously monitors the system clipboard. When it detects a string that matches the pattern of a cryptocurrency wallet address, it silently replaces it with a hardcoded address controlled by the attacker. When the user pastes the address to send funds, they are unknowingly sending them to the thief.
Impact Assessment
Any user who falls victim to this attack must consider their system and all associated accounts fully compromised. The immediate impact is the theft of any cryptocurrency stored in local wallets and the potential loss of funds through the clipboard hijacking. The long-term impact is more severe, as the theft of all saved browser and system passwords gives the attacker access to the victim's email, social media, banking, and other online accounts. This can lead to widespread identity theft and financial fraud.
IOCs — Directly from Articles
domainupdate-bluewallet.comCyber Observables — Hunting Hints
For individual users and security teams, hunting for this activity involves looking for signs of the initial script execution.
file_name*.scpt, *.applescriptDownloads folder.process_nameScript Editornetwork_traffic_patternosascript or Script Editor to unknown destinations.Detection & Response
- Endpoint Security: Modern macOS endpoint security solutions may detect the malicious script based on its behavior or signatures. D3FEND's File Analysis and Dynamic Analysis are key here.
- Browser Protection: Use web filtering tools that block access to known phishing and malicious domains like
update-bluewallet.com. - Incident Response: If a user is believed to have executed the script, the machine should be immediately isolated from the network. The user must change the passwords for all their online accounts (email, banking, etc.) from a separate, clean device. All cryptocurrency should be moved to a new, secure wallet.
Mitigation
- User Training (
M1017): Educate users to only download software and updates from official websites and app stores. Teach them to be suspicious of unsolicited downloads and to manually verify domain names (bluewallet.iovs.update-bluewallet.com). - Verify Downloads: Before sending cryptocurrency, always double-check the destination wallet address. Verify the first few and last few characters after pasting to ensure it has not been modified by clipboard-hijacking malware.
- Use Hardware Wallets: For storing significant amounts of cryptocurrency, use a hardware wallet. These devices keep private keys offline and transactions must be confirmed on the physical device, making them immune to this type of malware.
Timeline of Events
MITRE ATT&CK Mitigations
User Training
Train users to be skeptical of unsolicited downloads and to verify website domain names before trusting them.
Limit Software Installation
Use macOS security settings or an MDM solution to restrict the execution of unsigned or un-notarized applications and scripts.
Antivirus/Antimalware
Use a reputable endpoint security product for macOS that can detect and block malicious scripts and infostealers.
D3FEND Defensive Countermeasures
Deploy a web filtering solution or secure DNS service that performs real-time URL analysis and blocking. This is the first line of defense against the BlueWallet phishing attack. The service should maintain a blocklist of known malicious domains, which would include update-bluewallet.com. When the user attempts to visit the fraudulent site, the connection would be blocked, and a warning page displayed. This prevents the user from ever reaching the malicious content and downloading the malicious AppleScript, effectively stopping the attack at the earliest possible stage. This is far more effective than relying solely on user awareness to spot the fake domain.
For corporate macOS environments, implement a policy of executable allowlisting using a Mobile Device Management (MDM) or unified endpoint management (UEM) solution. Configure macOS to only allow the execution of applications and scripts that are signed by the Apple App Store or by identified, trusted developers. Since the malicious AppleScript in this attack would be unsigned and un-notarized, this policy would prevent it from running even if a user downloads it and tries to execute it. This shifts the security posture from trying to detect 'bad' to only allowing 'known good,' which is a highly effective strategy against malware delivered via social engineering.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.