The Mac Security Blog

Malware

Mac stealer malware Realst disguises itself as video games, is macOS Sonoma-ready

Posted on by

In early July, malware researcher iamdeadlyz wrote up a detailed report about some new Mac malware dubbed Realst Stealer. Since at least last year, iamdeadlyz has been researching RedLine Stealer, PureLand, and related malware that steals cryptocurrency.

Several people had reported to iamdeadlyz about a variety of fake video games. Each one looks legitimate on the surface; they have their own Twitter and YouTube accounts, Discord servers, blogs, and more. It turns out that these supposed games are in fact Trojan horse malware. It appears that the same malware gang developed the latest fake games as well.

Some, but not all, of the games are allegedly built on various blockchains or self-describe as NFT games. Blockchains and non-fungible tokens (NFTs) are technologies that are typically of interest to people who own cryptocurrency. Thus, the developers of these fake games target individuals who are likely to have crypto wallets.

What does Realst Stealer malware do?

The primary goal of Realst Stealer seem to be robbing cryptocurrency wallets on infected Macs. Realst targets at least ten different crypto wallet browser extensions.

But even if a victim isn’t interested in blockchains or NFTs, the Trojan malware will attempt to exfiltrate their macOS Keychain. It also targets Telegram data, if the user has the messaging app installed on their Mac.

Realst Stealer targets every popular Mac browser, with two surprising exceptions: Apple’s Safari and Microsoft Edge. Safari’s omission seems understandable; perhaps the developers are more accustomed to writing Windows malware. But Edge’s omission is a bit of a mystery; after all, it’s bundled with Windows, and it’s Chromium-based, like most of the other browsers Realst targets.

The malware specifically targets Google Chrome, Mozilla Firefox, Brave, Opera, Opera GX (a “gaming browser”), and Vivaldi.

Which games does Realst Stealer masquerade as?

Some of the known Trojan horse games’ names are as follows:

  • Brawl Earth (its Twitter username is brawlearth)
  • Dawn Land MetaWorld (aka DawnLand Meta World, Dawn Land Metaverse, DawnMetaWorld, Meta_Dawn, or VersePearl)
  • Destruction (aka MetaDestruction, DestructionNFTs, or DestructionWeb3)
  • Evolion (aka EvolionGame or EvolionLand)
  • Guardians of the Throne (its Twitter username is GuardiansMeta)
  • Olymp of Reptiles [sic] (its Twitter username is olympreptiles)
  • Pearl Land Metaverse (was VersePearl on Twitter)
  • RyzeX (its Twitter username is RyzeX_web3)
  • Saint Legend (was PlaySaintLegend on Twitter)
  • WILDWORLD (its Twitter username is WildmenWorld)

Surprisingly, some of these Trojan horse games still have accounts on Twitter/X that haven’t been deleted or suspended yet. The “brawlearth” account has removed its profile images, name, bio, and location. However, four other accounts (GuardiansMeta, olympreptiles, RyzeX_web3, and WildmenWorld) remain open, albeit inactive since March, April, or June.

Some samples seem to be ready for macOS Sonoma

In a later analysis of Realst Stealer, Mac malware analyst Phil Stokes notes that several samples contain references in their code to macOS Sonoma, Apple’s upcoming Mac operating system.

This seems to suggest that Realst Stealer’s developers may already be testing beta versions of Sonoma to verify day-one compatibility with Apple’s shiny new OS.

How can one remove or prevent Mac malware like Realst Stealer?

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate Mac malware, including Realst Stealer and similar threats.

If you believe your Mac may be infected—or to prevent future infections—use trusted antivirus software. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It’s compatible with a variety of Mac hardware and OS versions, including the latest Apple silicon Macs running macOS Ventura.

Additionally, if you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from data stealers and other PC malware.

VirusBarrier X6, X7, and X8 on older Mac OS X versions also provide protection. Note, however, that it is best to upgrade to the latest versions of macOS and VirusBarrier; this will help ensure your Mac gets all the latest security updates from Apple.

How can I learn more?

For lots of additional technical details about the ShadowVault malware, you can read the original write-up by iamdeadlyz, and an additional deep-dive analysis by Phil Stokes.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →