macOS Malware Hijacks Telegram Sessions and Crypto Wallets

Article Highlights
Off On

The long-standing myth that the macOS ecosystem remains an impenetrable fortress against sophisticated cyber threats has been decisively shattered by a new wave of information-stealing malware. Security researchers at SlowMist have identified a highly targeted operation that bypasses traditional security barriers like Two-Factor Authentication (2FA) by hijacking active Telegram sessions and draining cryptocurrency wallets. Instead of focusing on brute-force attacks or simple phishing, this malware weaponizes authenticated state data to grant attackers seamless access to private communications. This shift in strategy highlights a critical vulnerability in how desktop applications manage persistent login states on local storage. By prioritizing the theft of session tokens over passwords, threat actors have found a way to remain invisible while operating with the full authority of the victim. This development marks a significant escalation in the ongoing battle for endpoint security, forcing a reevaluation of how users protect their most sensitive digital assets in 2026.

Hijacking the Foundation: The Mechanics of Session Theft

The technical core of this attack revolves around the exploitation of specific directory structures within the macOS Library, specifically targeting the “tdata” folder used by the Telegram Desktop client. This folder is essentially the brain of the application, containing the encrypted keys and map data required to maintain a logged-in state without requiring a user to re-authenticate every time the program opens. When the malware gains access to this directory, it exfiltrates the entire contents to a remote server controlled by the attacker. By simply copying these files into a clean installation of Telegram on their own machine, the hacker can effectively clone the victim’s identity. This process allows the intruder to bypass the initial login gate where SMS codes or authenticator app prompts are typically required. Because the application believes it is simply resuming an existing session, the attacker gains immediate access to every chat history, private group, and contact list associated with the compromised account.

Authentication Bypass: The Illusion of Two-Factor Security

What makes this session hijacking particularly insidious is that it renders even the most robust Two-Factor Authentication protocols completely moot once the local system is breached. Since the authentication handshake has already occurred on the victim’s machine, the stolen session data acts as a pre-approved pass that the Telegram servers treat as valid. Moreover, the malware developers have refined their techniques to ensure that these cloned sessions often do not trigger the standard security alerts that users expect when a new device logs in. In many documented cases, the hijacked sessions do not appear in the “Active Sessions” list within the application’s settings, leaving the user with no visual indication that their account is being monitored in real-time. This level of stealth allows attackers to silently observe conversations and gather intelligence for extended periods before taking overt action. It represents a fundamental shift in malware design, prioritizing long-term persistence and data exfiltration.

Systematic Harvesting: Targeted Data Extraction From the System

The reach of this malware extends far beyond just messaging applications, as it is designed to systematically harvest every piece of sensitive information stored on a macOS device. It aggressively targets the Apple Keychain, which serves as the central repository for system-wide credentials, aiming to extract passwords that could grant access to cloud services and corporate networks. Chromium-based browsers such as Chrome and Brave are also primary targets, with the malware scraping saved login data, credit card information, and browser cookies that could facilitate further session hijacking on web platforms. Even the native Apple Notes application is not safe from scrutiny, as the malware scans for keywords related to recovery phrases, bank details, or plain-text passwords that users often mistakenly store for convenience. To overcome permission barriers, the malware frequently deploys deceptive system-level prompts that mimic legitimate macOS requests, tricking the user into providing their administrative password to escalate the infection’s capabilities.

Financial Exploitation: Malicious Clones and Wallet Drainage

Financial exploitation serves as the ultimate objective for this malware campaign, with a specific focus on the lucrative and often irreversible world of cryptocurrency. The malware is programmed to search for databases belonging to over a dozen different desktop wallet applications, seeking out private keys and transaction logs that can be used to drain assets. One of the most sophisticated tactics observed is the “application replacement” strategy, where the malware identifies a legitimate crypto wallet installed on the system and replaces it with a malicious clone. This rogue application looks and feels identical to the original, but its primary function is to capture the user’s recovery seed or mnemonic phrase when they attempt to perform a transaction. Once this critical information is captured, the attacker has permanent control over the funds, regardless of whether the user later changes their local application password. By operating at the application level rather than just the network level, the malware ensures that assets are at risk.

Detection Challenges: The Difficulty of Identifying Stealthy Incursions

Detecting this specific strain of malware is exceptionally challenging because its footprint on the system is minimal and its behavior often mimics legitimate administrative processes. Since the exfiltration of session data looks like standard application traffic, many traditional antivirus solutions that rely on signature-based detection may fail to identify the threat in its early stages. The lack of visibility into hijacked sessions within the Telegram interface itself further complicates the situation, as users are deprived of the most common tool they have for monitoring account security. This highlights a growing need for behavioral analysis tools that can monitor unauthorized access to sensitive directories like the Library folder. In the current landscape of 2026, security experts emphasize that endpoint protection must involve more than just passive scanning; it requires active monitoring of file system integrity and the use of sandboxing to isolate critical applications. Without these advanced measures, the silent theft of session tokens will continue to be a preferred method for targeted attacks.

Proactive Remediation: Securing the Digital Environment

To mitigate the risks posed by these evolving threats, users were advised to implement a “Local Passcode” within their Telegram settings, which added an essential layer of encryption to the local session files. This simple step ensured that even if the “tdata” folder was stolen, the contents remained unreadable to the attacker without the specific local password. Furthermore, any suspected compromise necessitated a total reset of the digital environment, starting with the rotation of all passwords stored in the Keychain and web browsers. Moving cryptocurrency to entirely new addresses generated on a clean, air-gapped device became a standard procedure for protecting remaining assets after an infection was identified. Security professionals also stressed the importance of verifying the integrity of all software sources and maintaining a high level of skepticism toward unexpected system prompts requesting administrative rights. By adopting a proactive and layered defense strategy, individuals and organizations successfully reduced their attack surface and protected their private communications from being exploited.

Explore more

VodafoneThree Drives 5G Innovation With Network Automation

The rapid expansion of 5G Standalone infrastructure across the United Kingdom has necessitated a fundamental shift in how telecommunications giants manage the increasing complexity of modern cellular traffic. As VodafoneThree consolidates its dominant market position throughout 2026, the implementation of sophisticated network automation tools has transitioned from a competitive advantage to an absolute operational necessity. By moving away from legacy

Vulnerable Microsoft-Signed Shims Allow Secure Boot Bypass

The fundamental promise of UEFI Secure Boot relies on a chain of trust that ensures only verified, cryptographically signed code executes during the critical early stages of a computer’s power-on sequence. When this chain is compromised, the entire security foundation of a modern computing environment is placed at significant risk. Recent discoveries have highlighted vulnerabilities within several versions of the

Can GhostPairing Hijack Your WhatsApp Without a Password?

Digital communication platforms have long relied on the assumption that a physical device remains in the possession of its rightful owner, yet recent developments in GhostPairing techniques suggest that this confidence might be misplaced in the current cybersecurity landscape. As users increasingly demand seamless synchronization across multiple devices, the underlying architecture of messaging applications like WhatsApp has evolved to accommodate

JetBrains Patches Critical Flaws in IntelliJ IDEA and TeamCity

Modern software development is heavily dependent on the integrity of integrated development environments and automated build pipelines that bridge the gap between initial code and production. The recent disclosure of critical vulnerabilities in JetBrains IntelliJ IDEA and TeamCity has emphasized the high stakes involved in maintaining these foundational tools against sophisticated exploitation attempts. These flaws, which included potential remote code

Is the Telecom Industry Ready for the AI-RAN Era?

Dominic Jainy is a seasoned IT professional whose career has been defined by the intersection of telecommunications and emerging intelligence. With a deep background in machine learning and blockchain, he has spent years analyzing how decentralized technologies can transform traditional infrastructure. As the industry stands on the precipice of the AI-RAN revolution, Jainy provides a critical perspective on how global