Security firm Guardz has identified a new macOS-targeting malware family named ShadowVault, crafted to exfiltrate sensitive data from Apple devices. The company reported the discovery on its website, stressing that ShadowVault operates covertly in the background to harvest information from a user’s computer without visible activity.
According to Guardz, ShadowVault is offered on dark web marketplaces for a monthly fee of $500, a price point that undercuts some competing tools designed to sweep up data from Apple systems, such as Atomic Stealer. This pricing strategy makes ShadowVault appealing to threat actors seeking an affordable option with robust capabilities.
Once active, ShadowVault can silently collect and transmit a broad range of data. It is described as able to grab passwords, cookies, payment card details, cryptocurrency wallets, and data held by browser extensions. It also targets messaging platforms by attempting to access Telegram accounts and other confidential information stored on the device. The malware is reported to be capable of signing itself with a certificate issued by an Apple developer, which would help it evade casual detection and appear legitimate to the system at runtime for an added fee.
Researchers note that ShadowVault does not appear to compromise data from Safari in the current variant. Nevertheless, the broader risk is significant because any breach of third-party browsers and applications can expose credentials and session data used across many services. Beyond browser data, weaknesses in macOS Keychain could be exploited, potentially undermining login credentials, saved tokens, and other secure information across the operating system and iOS devices linked to the same user account.
Industry observers caution that users should assume malware of this kind is designed to remain hidden while expanding its reach across apps and services. The threat emphasizes the importance of robust endpoint protection, regular system updates, and disciplined security practices for macOS environments. It also underlines the value of credential hygiene, such as using unique passwords, enabling two-factor authentication where possible, and monitoring for unusual account activity across connected devices. Organizations and individuals are advised to review browser security settings, limit extension permissions, and periodically audit installed software for authenticity. In addition, developers and IT teams should consider implementing application whitelisting, trusted certificate management, and enhanced telemetry to detect anomalous behavior before data can be exfiltrated. (Guardz security brief, 2024)