Skip to main content

Realst Mac malware targets macOS Sonoma; here’s how to stay safe

Coming on the heels of ShadowVault, a new infostealer malware dubbed “Realst” is being implemented into fake blockchain games by cybercriminals in a massive campaign targeting Windows and macOS users, including those on macOS 14 Sonoma.

First discovered by security researcher iamdeadlyz earlier this month, the infostealer malware is being spread among Windows and macOS users via fake blockchain games such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend.

An analysis by SentinelOne found that not only was the new malware written in Rust, a highly praised up-and-coming programming language, but some variants are already targeting macOS 14 Sonoma ahead of its public release in the fall.

Fake blockcain game with realst malware on Mac macos
One of the fake blockchain games with Realst malware. Source: iamdeadlyz.gitbook.io

“About a third of the samples we identified contain strings targeting macOS 14 Sonoma,” according to SentinelOne. “It is not clear at this point how differences between Sonoma and Ventura would affect execution of the malware – a question it seems the malware authors are themselves seeking to determine.”

The repeated mention of Sonoma in the malware’s code shows the author’s intent to stick around until the public release of Apple’s latest version of macOS.

Furthermore, iamdeadlyz pointed out the games are being advertised among malicious websites and on social media (i.e., Twitter). Each of them is accompanied by its own Discord and Twitter accounts to further create a sense of legitimacy that, unfortunately, some individuals have fallen victim to.

What can Realst compromise?

Realst silently works in the background of compromised macOS devices, capable of scraping all sorts of web browser data, including stored passwords, to send back to the threat actors.

The targeted web browsers include Firefox, Chrome, Opera, Brave and Vivaldi. “Safari was not targeted in any of the samples we analyzed,” stated SentinelOne. Is this a reflection of Apple’s security posture around its web browser? I’ll leave that up to you.

Most notably, the malware can also completely empty cryptocurrency wallets within minutes. This is the most immediate effect after becoming infected.

Realst macos malware victim on twitter
Tweets from Realst victim. Source: iamdeadlyz.gitbook.io

How to protect yourself against Realst and other malware

Apple pre-installs many valuable background services on every Mac to protect you from what lurks on the internet, but often these aren’t enough.

While you may already know many of these tips, I think it’s important to regurgitate them again for the masses.

  • Do your due diligence before installing anything outside the official Mac App Store
  •  Hover over and confirm links before opening them
  •  Use strong, complex passwords and 2-step authentication (non-SMS if possible, OTP is best)
  •  Exercise caution when granting permissions on your Mac
  •  Keep your devices and applications up-to-date

How to check your Mac for malware

If you’re interested in performing a thorough checkup on your Mac, check out our guide here:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications