Full Report
Cybercriminal campaigns are using fake Ledger apps to target macOS users and their digital assets by deploying malware that attempts to steal seed phrases that protect access to digital cryptocurrency wallets. [...]
Analysis Summary
# Incident Report: Ledger Seed Phrase Phishing Campaigns Targeting Mac Users
## Executive Summary
Multiple, concurrent phishing campaigns utilized trojanized versions of the Ledger Live application on macOS to trick users into entering their 24-word recovery seed phrases. Attackers successfully stole sensitive cryptocurrency wallet recovery information by displaying deceptive phishing screens within fake applications, allowing them to ultimately compromise users' digital assets. The primary response from security researchers has been focused on identifying and publicizing these malware strains (AMOS and PyInstaller variants) and issuing broad warnings to the user base regarding proper seed phrase usage procedures.
## Incident Details
- Discovery Date: Ongoing (Multiple instances identified across "Last month" and "This month")
- Incident Date: Ongoing, spanning recent months leading up to discovery/publication.
- Affected Organization: Individual cryptocurrency users employing Ledger hardware wallets on macOS.
- Sector: Cryptocurrency/Financial Technology.
- Geography: Targeting macOS users globally.
## Timeline of Events
### Initial Access
- Date/Time: Unspecified, but campaigns tracked over the last month and "This month."
- Vector: **Malicious/Trojanized Application Distribution.** Attackers distributed fake Ledger Live applications, often bundled within DMG files (e.g., 'JandiInstaller.dmg').
- Details: The malicious DMG files bypassed macOS Gatekeeper protections to install a clone of the Ledger Live application containing phishing screens styled after the legitimate software.
### Lateral Movement
- This type of incident is primarily focused on direct data theft from the user endpoint rather than traditional network lateral movement. The malware focuses on capturing user input (seed phrases) and local system data.
### Data Exfiltration/Impact
- **Data Stolen:** 24-word cryptocurrency seed phrases.
- **Secondary Data:** Browser data, "hot" wallet configurations, and general macOS system information were also targeted by the PyInstaller variant.
- **Impact Mechanism:** Stolen seed phrases were exfiltrated to attacker C2 servers (e.g., Rodrigo's C2 server for the AMOS stealer). Victims received a deceptive "App corrupted" message after entering their seed phrase to delay suspicion.
### Detection & Response
- **Detection:** Security researchers (Moonlock Lab, Jamf Threat Labs) uncovered the active campaigns through analysis of malware behavior and forum chatter.
- **Response Actions:** Researchers published reports detailing the fake apps, malware functionality (AMOS stealer, PyInstaller variants), and C2 infrastructure information. Public advisories were issued emphasizing secure seed phrase handling.
## Attack Methodology
- Initial Access: Social Engineering via distribution of trojanized DMG installers ("JandiInstaller.dmg") impersonating Ledger Live.
- Persistence: Not explicitly detailed as a continuing mechanism, but designed for immediate data theft upon user interaction.
- Privilege Escalation: Bypassing macOS Gatekeeper when installing the trojanized application.
- Defense Evasion: Utilizing familiar application cloning and deceptive error messages ("App corrupted") to lower immediate user suspicion.
- Credential Access: Direct capture of the 24-word **seed phrase** via simulated input fields.
- Discovery: Targeting browser data and "hot" wallet configurations alongside the primary objective.
- Lateral Movement: N/A (Endpoint-focused theft).
- Collection: Capturing seed phrases and system/wallet metadata.
- Exfiltration: Sending data to attacker Command-and-Control (C2) servers.
- Impact: Direct theft of cryptocurrency assets associated with the compromised seed phrases.
## Impact Assessment
- Financial: High (Theft of cryptocurrency assets, though specific monetary figures were not provided).
- Data Breach: Highly sensitive recovery information (24-word seed phrases), system data, and wallet configurations.
- Operational: User trust in hardware wallet software integrity damaged; requires users to sweep funds from compromised wallets.
- Reputational: Potential damage to Ledger's reputation due to the effectiveness of sophisticated phishing clones.
## Indicators of Compromise
- **Network indicators:** C2 server associated with the AMOS stealer (C2 server linked to 'Rodrigo').
- **File indicators:** DMG files tricking users (e.g., 'JandiInstaller.dmg'); PyInstaller-packed binaries used to deliver the phishing interface.
- **Behavioral indicators:** Displaying phishing screens demanding a 24-word seed phrase within an application claiming to be Ledger Live; reporting "App corrupted" after entry.
## Response Actions
- **Containment measures:** N/A. The primary containment effort consists of user education and reporting the campaigns to relevant platforms.
- **Eradication steps:** Users must immediately transfer any funds secured by the compromised seed phrase to a new, secure wallet.
- **Recovery actions:** Users who inputted their seed phrase must treat the associated crypto assets as lost or compromised and initiate fund migration.
## Lessons Learned
- **Key Takeaways:** Sophisticated malware strains (like AMOS and PyInstaller variants) are actively mimicking legitimate hardware wallet software to lower user guardrails. Attackers are using social engineering by bundling malicious code inside common installer formats (DMG).
- **What could have been done better:** End-users need reinforced education regarding the **single, physical-device-only** use case for seed phrases.
## Recommendations
- Only download the Ledger Live application directly from the official Ledger website.
- Never enter the 24-word seed phrase into any application, website, or non-physical prompt.
- Seed phrases should **only** be entered on the physical Ledger hardware device itself, and strictly during wallet restoration or initial setup.
- Users should routinely monitor their cryptocurrency accounts, especially after performing updates or installing software related to their wallets.