TLDR
- SlowMist warned that macOS malware can hijack Telegram sessions.
- The malware copies authenticated Telegram Desktop session files.
- Telegram two-step verification does not stop stolen local sessions.
- Exodus, Atomic, Electrum, Ledger and Trezor apps are targeted.
- SlowMist urged users to end sessions and move funds to clean wallets.
MacOS users face a new security warning after SlowMist reported malware that can steal Telegram sessions and target crypto wallets.
SlowMist Warns of MacOS Crypto Malware
Blockchain security firm SlowMist said a macOS information-stealing malware can hijack Telegram Desktop sessions and collect crypto wallet data. The malware targets stored passwords, browser cookies, Apple Notes, macOS Keychain data, and local Telegram files.
The attack does not rely on breaking Telegram login codes. Instead, the malware copies an already authenticated local session, allowing attackers to restore access on another device without a phone number, verification code, or two-step verification password.
SlowMist said Telegram two-step verification “does not prevent the attack” because the malware reuses existing session files. That means attackers can bypass fresh login checks if they already have stolen session data from the infected Mac.
The firm reproduced the attack chain in an isolated test environment. Researchers found that attackers could use stolen Telegram Desktop files to access an account without triggering normal login steps.
Wallets and Hardware Apps Face Risk
The malware also searches for crypto wallet data across several popular applications. SlowMist named Exodus, Atomic, Electrum, Wasabi, and Monero among the software wallets targeted by the attack.
The malware also checks hardware wallet applications, including Ledger Live and Trezor Suite. SlowMist said attackers may replace real hardware wallet apps with fake versions that trick users into entering recovery phrases.
Full-node wallet data is also at risk. The malware searches for databases linked to Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core, giving attackers several paths to reach stored wallet files.
After collecting wallet databases, attackers can try to decrypt them offline using passwords taken from the infected device. That makes weak passwords and reused credentials more dangerous for crypto users.
Some macOS stealers, including MacSync, Poseidon, and Atomic Stealer, use similar methods. These tools often collect Keychain items, browser wallet extension data, cookies, and private notes that may contain recovery details.
Users Urged to End Sessions and Move Funds
SlowMist urged affected users to terminate all active Telegram sessions immediately. Users can review linked devices through Telegram settings under Privacy and Security, then log out from unknown or suspicious sessions.
Users should also create a fresh trusted Telegram login after removing suspicious sessions. SlowMist recommended changing both the Telegram two-step verification password and the Telegram Desktop passcode.
Crypto users who suspect wallet exposure should move funds from a clean, separate device. SlowMist advised generating a new recovery phrase on an uncompromised device and transferring assets to new addresses.
Security experts also recommend avoiding pirated apps, fake software updates, and unknown installers. Users should download apps from official developer websites and avoid pasting unknown commands into Terminal.
A local Telegram passcode may add another layer of protection because it helps protect local app files. Regular system scans, stronger passwords, and separate cold storage can also reduce losses from malware infections.







