This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency markets are highly volatile. Always do your own research before making any investment decisions.

MacOS malware is now actively hijacking Telegram sessions and targeting crypto wallet credentials, according to a July 2026 security analysis by SlowMist. As Apple devices keep catching on worldwide, attackers are switching up their tactics—zeroing in on popular communication apps and digital asset platforms to net bigger profits. This pivot comes as Mac adoption rises, making once-overlooked users key targets for cybercriminals keen on info-stealer campaigns


How the malware exploits Telegram and MacOS systems

SlowMist explains the newly identified MacOS malware snatches Telegram session files straight from users’ Library directories after tricking victims into installing trojanized apps. The malware specifically targets the Tdata folder where Telegram stores session info, so once that pocket of files is compromised, attackers get direct access to ongoing chats and Telegram bot undertakings—all without needing passwords or SMS codes. Analysts emphasize that such direct access allows criminals to pose as victims, intercept messages, and even execute unauthorized crypto transactions by sidestepping typical two-factor authentication protocols.

The volume of infected files flagged by SlowMist demonstrates the malware’s reach into the crypto sector too. Researchers found the MacOS malware scans users’ drives for wallet directories tied to major crypto platforms, including browser extension wallets like MetaMask as well as wallets working with Ethereum and Solana. When these critical assets are discovered, the malware grabs sensitive files—think private keys and wallet seed phrases—making it easy for attackers to drain user balances across a range of supported cryptocurrencies.


Rising sophistication and global reach

SlowMist’s July 2026 incident report also ties this campaign to a wider, increasingly aggressive wave of cyberattacks focused on MacOS users.

SlowMist traced malware samples to infrastructure located in Russia, Southeast Asia, and South America—evidence of a globally coordinated campaign targeting MacOS holders every where.

The losses reported to SlowMist since the malware’s late May debut were steep, with data reviewed in July 2026 confirming that victims lost significant amounts of cryptocurrency.


Defensive actions and recommendations

Amid ongoing threats detailed in SlowMist’s findings, the security team urges MacOS users to keep Telegram updated, only install apps from official sources, and enable password-based logins on all messaging and wallet platforms.