Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application for managing crypto assets via Ledger cold wallets.

Since August 2024, Moonlock Lab has been tracking a malware campaign that initially focused on stealing passwords and wallet details but has now evolved to extract seed phrases, enabling attackers to drain victims’ funds.

This surge in sophisticated attacks, including the recent ByBit heist, highlights the growing exploitation of trust in cold wallet security tools, turning them into vectors for cybercrime.

With four active campaigns currently underway, the crypto community faces a heightened risk as threat actors refine their phishing tactics and malware delivery mechanisms to bypass Ledger Live’s robust defenses.

Sophisticated Phishing Campaigns

The evolution of these attacks is exemplified by the Atomic macOS Stealer (AMOS), which deploys a fake Ledger Live app through a malicious DMG file, such as JandiInstaller.dmg.

Once installed, it replaces the legitimate app and displays deceptive alerts about “suspicious activity” or “critical errors,” tricking users into entering their 24-word seed phrases.

These phrases are then transmitted to attacker-controlled servers via dedicated URLs like hxxps://aimplyhired.com/receive.php.

Another notable threat, the Odyssey stealer by actor Rodrigo, introduced advanced phishing pages since March 2025, fetching usernames from local paths and presenting convincing error messages to lure victims.

Meanwhile, dark web forums buzz with chatter about “anti-Ledger” features, as seen in posts by @mentalpositive, although their latest samples lack the advertised phishing capabilities, suggesting future updates.

From Data Theft to Seed Phrase Heists

A campaign uncovered by Jamf Threat Labs further reveals a stealthy DMG file hosted at hxxp://138.68.93.230/Ledger-Live.dmg, using PyInstaller-packed binaries to evade detection while fetching phishing pages through iframes.

These multi-stage attacks often combine AppleScript and Python to harvest sensitive data ranging from browser credentials to crypto wallet configurations before exfiltrating it to command-and-control (C2) servers.

Techniques like VM detection to avoid sandboxes and fake GUI dialogs to gain sudo privileges underscore the technical sophistication of these threats.

The AMOS campaign, in particular, orchestrates an elaborate con by terminating the legitimate Ledger Live app, installing a trojanized version, and guiding users through a series of phishing pages that culminate in seed phrase theft.

These pages, dynamically generating input fields for recovery phrases, encode data in base64 before transmitting it, while displaying misleading messages like “App corrupted” to delay suspicion.

According to the Report, This direct assault on Ledger Live’s security, which otherwise locks seed phrases beyond typical malware reach, demonstrates how attackers rely on social engineering to bypass technical safeguards.

As these campaigns proliferate, crypto owners must remain vigilant, downloading Ledger Live only from official sources, avoiding sharing seed phrases, and staying informed via trusted research like Moonlock Lab’s updates.

The growing interest in anti-Ledger schemes on dark web platforms signals that the next wave of attacks is already in motion, posing a persistent threat to millions of users worldwide.

Indicators of Compromise (IoCs)