Poseidon Stealer Malware Attacking Mac Users via Fake DeepSeek Site

Cybersecurity researchers uncovered a sophisticated macOS malware campaign distributing the Poseidon Stealer through a counterfeit DeepSeek AI platform website. 

This malware-as-a-service (MaaS) operation employs advanced social engineering tactics combined with anti-analysis techniques to compromise sensitive user data, marking a significant escalation in macOS-targeted threats.

The attack chain begins with malvertising campaigns redirecting users to deepseek.exploreio[.]net, a domain hosting a near-perfect replica of the legitimate DeepSeek AI interface. 

Upon clicking “Download for Mac OS,” victims receive a DMG file named DeepSeek_v.[0-9].[0-9]{02}.dmg from the compromised domain manyanshe[.]com.

The mounted DMG contains a malicious shell script masquerading as an application bundle:

This multi-stage payload leverages osascript to execute AppleScript commands that bypass macOS Gatekeeper protections by forcing execution through Terminal. 

The script copies a binary named .DeepSeek to /tmp, clears extended attributes with xattr -c, and marks it executable via chmod +x.

Anti-Analysis and Evasion Techniques

Poseidon Stealer implements layered anti-debugging measures, a secondary check uses sysctl to inspect the P_TRACED flag in process status.

The malware terminates if usernames match common researcher aliases like “maria” or “jackiemac” through AppleScript validation. 

Post-execution, it runs disown; pkill Terminal to detach from the parent process and remove forensic artifacts.

Data Exfiltration Mechanisms

Poseidon harvests:

• Chromium/Firefox credentials (cookies, passwords, credit cards)
• Cryptocurrency wallet data from 127 targeted extensions including MetaMask (nkbihfbeogaeaoehlefnkodbefgpgknn) and Coinbase Wallet (hnfanknocfeofbddgcijnmhnfnkdnaad)
• System keychain databases (/Library/Keychains/login.keychain-db)
• Documents matching *.txt, *.pdf, *.wallet extensions

According to the Report, A forged password dialog validates credentials before zipping stolen data. Exfiltration occurs via curl POST requests to the C2 at 82.115.223[.]9/contact.

Mitigation Strategies

eSentire’s TRU team recommends:

• Restricting osascript execution through MDM policies
• Implementing NGAV solutions to detect and contain threats
• User education on Terminal-based execution risks

This campaign demonstrates attackers’ growing sophistication in bypassing macOS security controls. 

The combination of social engineering, multi-stage payloads, and extensive data harvesting capabilities positions Poseidon Stealer as a critical threat to organizational and individual macOS users alike.

eSentire confirms active containment of infections across multiple enterprise networks, with ongoing monitoring for related IoCs.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here