Malware

Executive Summary

In March 2026, Intego Antivirus Labs investigated a macOS malware campaign delivering the OSX/Amos stealer. During analysis, the infection chain led from stripped Mach-O binaries and heavily obfuscated shell scripts to an unusual final payload that appeared to be “data” rather than a standard executable.

That payload turned out to be an Electron ASAR (Atom Shell Archive) — a growing trend in macOS threats. Instead of shipping compiled binaries, attackers increasingly trojanize legitimate cross-platform Electron applications by replacing the core ASAR archive with a weaponized version that contains malicious logic.

In this case, the trojanized app masqueraded as Ledger Live. It combined a TLS validation bypass with a convincing phishing overlay designed to capture cryptocurrency wallet Secret Recovery Phrases and exfiltrate them to attacker infrastructure.

This write-up walks through a practical triage workflow to identify an ASAR payload, unpack it, locate the execution entry point, and extract actionable C2 infrastructure.

Identifying the ASAR archive

When a suspicious file doesn’t present obvious magic headers, the fastest path forward is reading raw bytes. A quick hexdump revealed an Electron ASAR signature:

hexdump -C -n 100 payload_file

The key signal is a 16-byte header followed immediately by a JSON structure beginning with {“files”:{…}. That combination is an unmistakable ASAR fingerprint.

Electron apps package internal source code (JavaScript/HTML/CSS) and assets into ASAR archives. The JSON block acts as a file allocation table mapping the virtual directory structure, followed by the raw bytes of each bundled file.

Why this matters: If the payload is an ASAR, you’re likely looking at the core logic of a trojanized Electron application — including the code responsible for credential theft, UI overlays, and outbound network communication.

Extracting the payload

To analyze the JavaScript logic, the ASAR must be unpacked. In many analysis environments, npx asar extract isn’t available, so it helps to have a second option.

Option A: Standard Node.js tooling (when available)

npx asar extract app.asar unpacked_asar

Option B: Python-based extraction (fast fallback on macOS)

If you have Python available, you can use the asar module to extract the archive.

Once extracted, you should end up with a directory that resembles a Node/Electron project (including package.json and bundled Webpack output).

Finding the entry point

In an unpacked Electron app, the first stop is package.json. This file acts as the roadmap and dictates which code executes first.

cat unpacked_asar/package.json

The critical field is:

• main: the application’s entry point (for example: ./.webpack/main.bundle.js)

This tells you exactly where to start hunting for injected logic.

Hunting the injection

In trojanized Electron bundles, threat actors often:

• inject logic at the top before the legitimate app bootstraps, or
• append an obfuscated block at the bottom (commonly via eval() patterns)

In this sample, inspecting the start of the main bundle exposed the core compromise:

head -c 1000 unpacked_asar/.webpack/main.bundle.js

The “smoking gun” was the presence of an explicit TLS validation bypass:

• Electron command-line switch to ignore certificate errors
• NODE_TLS_REJECT_UNAUTHORIZED = ‘0’

There is no legitimate reason for a production cryptocurrency wallet application to globally disable TLS certificate validation.

Why attackers do this

Stealer operators often rely on cheap, fast-changing infrastructure (expired, mismatched, or self-signed certificates). Without a TLS bypass, background exfiltration requests can throw certificate validation errors, crash the app, or create visible breakage that alerts the victim.

This makes the bypass a practical “reliability layer” for malicious traffic — and a useful detection clue for defenders.

Uncovering the phishing overlay and C2

Once the TLS bypass is identified, the next step is determining:

1. what data is being collected, and
2. where it’s being sent

In this case, the .webpack/ directory contained suspicious overlay HTML files such as:

• recovery-step-1.html
• recovery-step-2.html
• recovery-step-3.html

These files hijack the UI and prompt the user to “verify” their 12- or 24-word Secret Recovery Phrase.

Finding the exfiltration destination

To locate the drop zone, focus on data-sending primitives in the overlay files (fetch, XMLHttpRequest, submit, action=).

grep -E -i -o ‘.{0,40}(action=|fetch\(|XMLHttpRequest|submit).{0,40}’ \

unpacked_asar/.webpack/recovery-step-*.html

Then extract URLs from the specific file(s) of interest and filter out known legitimate namespaces.

This workflow revealed the C2 endpoint used as the exfiltration drop zone:

• https://main.mon2gate.net/modules/wallets

When the victim submits the final recovery step, the overlay sends the seed phrase to attacker infrastructure — and it succeeds silently because the TLS bypass prevents certificate failures from blocking the request.

The evolving stealer ecosystem

This isn’t an isolated technique — it reflects a maturing macOS Malware-as-a-Service ecosystem. Trojanizing wallet applications by:

• disabling TLS validation, and
• injecting phishing overlays into Electron ASAR bundles

has become a repeatable playbook across multiple stealer families.

Attackers are also diversifying distribution. Beyond fake updates and cracked installers, recent campaigns have included novel delivery mechanisms designed to trick users — and in some cases, automated tools — into running the initial downloader.

Detection takeaways

Even without full reverse engineering, defenders can quickly identify high-signal indicators in trojanized Electron apps:

• ASAR payloads where a suspicious “data” file reveals {“files”:{…} structure
• package.json entry points that route into unusually modified Webpack bundles
• Global TLS bypass indicators (certificate ignore flags, NODE_TLS_REJECT_UNAUTHORIZED)
• Presence of overlay-style HTML pages prompting for secrets (seed phrases, credentials)
• Outbound requests to non-vendor domains from overlay UI code (especially fetch() destinations)

Indicators of Compromise

File indicators

Network and infrastructure

What to know and what to do

Trojanized Electron apps are a reminder that macOS malware analysis increasingly requires web-application triage techniques — not only executable reversing. Being able to unpack ASAR archives, trace package.json entry points, and spot environment manipulations like TLS bypasses is key to extracting actionable IOCs quickly.

For responders, the highest-value workflow is often: identify ASAR → unpack → find entry point → hunt injected logic → extract C2 from overlay/exfil code.

About Frederic Blaison