Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareExploits 1 CVE

NovaStealer

NovaStealer is a macOS infostealer targeting the macOS ecosystem. Reported capabilities include exfiltrating wallet-related files, collecting telemetry data, and replacing legitimate Ledger and Trezor applications with tampered copies. Analysis cited in the source indicates it uses a dropper to execute mdriversinstall.sh, installs an orchestrator under ~/.mdrivers, registers a LaunchAgent labeled application.com.artificialintelligence for persistence, and retrieves base64-encoded scripts from command-and-control infrastructure to execute in detached screen sessions. The malware has been linked in reporting to payload delivery via base64-encoded shell commands that download NovaStealer- or Atomic Stealer-linked payloads. A published analysis by security researcher Bruce Ketta is specifically referenced. High-confidence indicators and artifacts mentioned in the content include mdriversinstall.sh, the ~/.mdrivers path, and the LaunchAgent label application.com.artificialintelligence.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2026-25253OpenClaw gatewayUrl token exfiltration and one-click RCE

The campaign coincides with the disclosure of a high-severity OpenClaw vulnerability (CVE-2026-25253) that enables one-click remote code execution through token exfiltration and WebSocket hijacking. Although patched in late January 2026, the flaw points to the platform’s growing attack surface.

via sentinelone blogsentinelone.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195Supply Chain CompromiseEvidence1

"Over 200 malicious plug-ins... published... for OpenClaw... these skills masquerade as legitimate utilities while secretly delivering information-stealing malware."

Execution

2 techniques
T1059.004Unix ShellEvidence1

"On macOS, this involves base64-encoded shell commands that download payloads linked to NovaStealer or Atomic Stealer variants"

T1204User ExecutionEvidence1

"documentation that instructs users to install a supposed prerequisite called 'AuthTool'. Following these steps then triggers the malware delivery."

Credential Access

1 technique
T1555Credentials from Password StoresEvidence2

"deploy malware designed to harvest API keys, cryptocurrency wallet data, SSH credentials, browser passwords, cloud secrets, and configuration files."

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app17 days ago
ip.v4●●●●●●●●●●●●View more in app17 days ago
domain●●●●●●●●●●●●View more in app18 days ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
sentinelone blogNews
Feb 6, 2026
The Good, the Bad and the Ugly in Cybersecurity - Week 6

Information-stealing malware delivered via malicious OpenClaw “skills,” used to harvest sensitive data (e.g., API keys, credentials, cloud secrets) from infected systems.

Read more
the hacker newsNews
Nov 20, 2025
ThreatsDay Bulletin: 0-Days, LinkedIn Spies, Crypto Crimes, IoT Flaws and New Malware Waves

macOS stealer that targets cryptocurrency users by exfiltrating wallet-related files and telemetry, and by replacing legitimate Ledger/Trezor apps with trojanized versions. Uses a dropper to install a script orchestrator (~/.mdrivers) and persistence via a LaunchAgent (application.com.artificialintelligence), then pulls additional base64-encoded scripts from C2 and runs them in detached screen sessions.

Read more
risky biz rssNews
Nov 14, 2025
Risky Bulletin: Europol takes down Elysium, VenomRAT, and Rhadamanthys infrastructure

NovaStealer is an infostealer malware targeting macOS systems, designed to steal sensitive information from infected devices.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.