How to remove MacStealer from the operating system
Written by Tomas Meskauskas on (updated)
What kind of malware is MacStealer?
MacStealer is a type of information-stealing software that can obtain login credentials, cookies, and documents from a victim's web browser. It targets macOS versions from Catalina onwards, and can infect computers that use Intel M1 and M2 CPUs. MacStealer is for sale for $100 on a hacker forum.
MacStealer adware in detail
MacStealer can retrieve various files from compromised systems, including .bmp, .csv, .db, .doc, .docx, .jpg, .mp3, .pdf, .png, .ppt, .pptx, .py, .rar, .txt, .xls, .xlsx, and .zip. Additionally, it can extract login information, cookies, and credit card details from Firefox, Google Chrome, and Brave web browsers, as well as access the KeyChain database.
After gathering the stolen data, MacStealer compresses it into a ZIP file and uses a Python User-Agent request to send it to the command and control server (C2) via a POST request. To cover its tracks, MacStealer deletes the ZIP file and data from the victim's system during a cleanup operation.
At the same time, the software sends some of the extracted information to designated Telegram channels. Once the C2 server receives the ZIP file, it shares it with the threat actor's personal Telegram bot.
By using MacStealer, cybercriminals can access sensitive information and use it for identity theft and fraud, extort money from victims, hijack personal accounts, and more. Also, threat actors may use MacStealer to gather sensitive or embarrassing information about a victim and then threaten to release it unless a ransom is paid.
Additionally, the attackers can sell the stolen data obtained through MacStealer on underground markets or dark web forums, where other cybercriminals can purchase it for further malicious activities.
| Name | MacStealer stealer |
| Threat Type | Mac malware, Mac virus |
| Detection Names (Installer) | ESET-NOD32 (OSX/PSW.Agent.F), Google (Detected), Ikarus (Trojan-Spy.MacOS.Agent), Kaspersky (UDS:DangerousObject.Multi.Generic), Full List (VirusTotal) |
| Detection Names (Stealer) | Avast (MacOS:Agent-XQ [Trj]), Combo Cleaner (Trojan.MAC.Generic.111785), ESET-NOD32 (OSX/PSW.Agent.D), Kaspersky (HEUR:Trojan-PSW.OSX.HashBreaker.b), Full List (VirusTotal) |
| Symptoms | Your Mac becomes slower than normal. |
| Distribution methods | Deceptive pop-up ads, free software installers (bundling), torrent file downloads. |
| Damage | Internet browser tracking (potential privacy issues), loss of private information. |
| Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
More about adware
In conclusion, MacStealer is a dangerous malware that poses a significant threat to Mac users. Cybercriminals can misuse MacStealer in various ways to achieve their goals, such as identity theft, blackmailing, selling stolen data, and more. Thus, this malware should be eliminated from infected systems as soon as possible.
More examples of malware targeting Mac users are GIMMICK, DazzleSpy, and SysJoker.
How did MacStealer install on my computer?
A malicious actor employs a .DMG file to distribute the MacStealr malware. When a user runs the file, a false password prompt appears to collect passwords using the given command line. Upon entering the login information, the malware captures the data and saves it to a predetermined system directory.
The .DMG file containing the MacStealer malware can be distributed through various methods. The file can be uploaded to a malicious website, and users can be tricked into downloading it by clicking on a link or button that appears to be legitimate.
The .DMG file can be attached to a phishing email that is disguised as a legitimate email from a trusted source, such as a bank, a social media platform, or a shipping company. Also, The file can be uploaded to a P2P network, such as BitTorrent, and distributed to unsuspecting users who download it.
Cybercriminals can also use social engineering tactics, such as social media scams or fake software updates, to convince users to download and run the malicious .DMG file.
How to avoid installation of unwanted applications?
Download files from trusted sources, such as official websites or app stores. Avoid downloading files from unknown or untrusted sources. Keep software up to date. Install a reputable antivirus solution and keep it up to date. Avoid visiting suspicious or untrustworthy websites, and be cautious of pop-up ads or banners that appear on websites.
Be wary of unsolicited emails and messages that request you to click on a link or download a file. Always verify the legitimacy of the sender and the content of the message before clicking on any links or downloading any files. If your computer is already infected with MacStealer, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate this adware.
Fake password prompt that steals passwords:
Hacker forum used to promote MacStealer (source: uptycs[.]com):
Screenshot of a scam giveaway (promoted by a fake World of Creatures Twitter account) used to spread MacStealer (source: Trend Micro):
Screenshot of a website disguising MacStealer as a play-to-earn (P2E) game (source: Trend Micro):
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is MacStealer?
- STEP 1. Remove MacStealer related files and folders from OSX.
- STEP 2. Remove MacStealer ads from Safari.
- STEP 3. Remove MacStealer adware from Google Chrome.
- STEP 4. Remove MacStealer ads from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
MacStealer adware removal:
Remove MacStealer-related potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX", "NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Remove adware-related files and folders
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...
Check for adware generated files in the /Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: /Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the ~/Library/Application Support/ folder:
In the Go to Folder... bar, type: ~/Library/Application Support/
In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.
Check for adware generated files in the ~/Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: ~/Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the /Library/LaunchDaemons/ folder:
In the "Go to Folder..." bar, type: /Library/LaunchDaemons/
In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Remove malicious extensions from Internet browsers
Remove malicious Safari extensions:
Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".
In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious extensions from Google Chrome:
Click the Chrome menu icon 
(at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Remove malicious extensions from Mozilla Firefox:
Click the Firefox menu 
(at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
Frequently Asked Questions (FAQ)
My computer is infected with MacStealer malware, should I format my storage device to get rid of it?
There is no necessity for such extreme actions, as it is possible to remove malware such as MacStealer without formatting. It can be achieved using a reputable antivirus solution.
What are the biggest issues that malware can cause?
Malware can be designed to steal sensitive information, such as login credentials, financial information, and personal data. Malware can damage or corrupt system files, encrypt files, create a network of infected computers, invade privacy, and more. The impact of malware can vary depending on the type and severity of the attack.
What is the purpose of MacStealer malware?
MacStealer steals file types from infected systems, such as .bmp, .csv, .db, .doc, .docx, .jpg, .mp3, .pdf, .png, .ppt, .pptx, .py, .rar, .txt, .xls, .xlsx, and .zip. Furthermore, it can retrieve login credentials, cookies, and credit card data from web browsers such as Firefox, Google Chrome, and Brave, and it can also access the KeyChain database.
How did MacStealer malware infiltrate my computer?
The MacStealer malware is distributed through a malicious .DMG file. It may be distributed via email, P2P networks, torrent sites or other shady websites, and other channels of this kind. Once the user executes the file, a fake password prompt is displayed to collect login credentials using a specified command line. After the user enters their password, the malware captures and stores the data in a pre-defined system directory.
Will Combo Cleaner protect me from malware?
Combo Cleaner has the ability to identify and remove nearly all known malware infections. However, it is important to note that sophisticated malware may be deeply embedded within the system, requiring a full system scan to detect and remove it effectively.
Outstanding!
▼ Show Discussion