Authors: Kseniia Yamburh, Malware Research Engineer at Moonlock by MacPaw & Mykhailo Pazyniuk, Malware Research Engineer at Moonlock by MacPaw
Open-source software is foundational to innovation but also opens the door to exploitation. Recently, Checkmarx researchers
At Moonlock, where we focus on protecting macOS users, we knew we had to dig deeper into this one. As we unraveled the layers, our findings led us to 10 additional repositories — each sharing nearly identical code, with subtle variations. Was this the work of an automated deployment? A coordinated campaign? Here’s how the investigation unfolded.
The First Look at More Than Just a Crypto Bot
The story begins with “Meme-Token-Hunter-Bot,” seemingly just another utility tool for crypto enthusiasts. Its README instructs users to execute main.py, a file that typically initiates the main functionality in most Python-based applications. Following instructions, we delved into main.py, only to find it calling a helper script called base_helper.py. This helper file would be the cornerstone of our investigation.
Mapping the Attack Flow
To gain a clearer understanding of how Meme-Token-Hunter-Bot executes its attack, we sketched out a flowchart showing each step of the malware’s process, from initial setup to data exfiltration. This visual representation reveals the layers of encoding and stealth tactics embedded within the package, offering a full view of how it operates.
Our flowchart begins with main.py, the starting point that calls base_helper.py if the package detects it’s running on macOS.
This file includes base64-encoded URLs and filenames, stored in variables like encoded_base_key and encoded_licences.
These encoded values hide the true purpose of the script, masking the URL that connects to https://coinsw[.]app/basec/ and downloads further files to the ~/tmpcode/ directory.
Once the files are downloaded, the next step in our flowchart shows the malware launching a file called MHTBot.py, redirecting all visible output to /dev/null—keeping its activities concealed from users and monitoring tools alike.
MHTBot
In the flowchart, MHTBot.py stands out as the turning point in the attack. Using PyQT5, this file creates a graphical user interface that mimics legitimate software, displaying a password prompt and progress bar. This disguise is designed to reassure users, while, in reality, MHTBot.py stealthily activates a series of data-grabbing modules in the background.
MHTBot.py employs a clever evasion technique: it rejects the first password attempt as “insecure,” only accepting the second. This built-in delay likely aims to evade sandbox detection, as many sandbox environments have limited runtime that might end before the malware fully activates.
As part of its evasion tactics, Meme-Token-Hunter-Bot employs a delay before launching its main data-stealing operations. This delay is also designed to evade detection by sandbox environments, which often have limited runtime durations for automated analysis. By delaying execution, the malware increases its chances of slipping past these initial scans and fully activating on a real user’s system.
The screenshot below highlights the specific code responsible for this delay. The start_one_py_main_after_delayfunction initiates a delay of 7000 milliseconds (7 seconds) using QTimer.singleShot, after which it calls the run_one_py_main function. This function then triggers the main data-theft module, one.py, in a separate thread.
Data Theft
As MHTBot.py transitions control to one.py, the malware’s primary data-stealing operations begin. The following code snippets reveal how one.py uses various functions and modules to collect sensitive information from the user’s system. Let’s break down each part of the code and its purpose.
In the first snippet, we see the main() function preparing a hidden directory for the temporary storage of stolen data. The malware creates ~/.temp/premium/ as a hidden directory to store files without alerting the user. After setting up this directory, the function calls various routines to gather data from specific applications:
-
mediax(): Likely targets Apple Notes to extract stored notes.
-
copy_stickies() and copy_stickies_database(): These functions gather data from the Stickies application.
-
backup_ssh(): Collects SSH keys from the system.
-
copy_terminal_history(): Copies terminal history files.
-
copy_ssh_and_keychain(): Extracts data from SSH and macOS Keychain.
These functions are dedicated to gathering a wide range of data from applications, user credentials, and SSH configurations, making one.py an all-encompassing data harvester.
The search_files() function, seen in the next code snippet, expands the reach of data collection by targeting specific file types. This function searches through common directories (Downloads, Documents, Desktop, and home directory) for sensitive files with extensions like .txt, .csv, .json, .config, and .env. These file types often contain configuration settings, API keys, and other valuable information.
The files found are then copied to a temporary directory, compressed, and prepared for exfiltration. This step ensures that any data typically stored in user directories or project configuration files is collected.
In the following snippet, the copy_terminal_history() and copy_ssh_and_keychain() functions capture critical user data. The malware extracts terminal history from .zprofile and .zsh_history files, potentially revealing commands the user executed, including any sensitive information or credentials typed in the terminal.
Additionally, the macOS Keychain and SSH directory are accessed to capture encrypted credentials, passwords, and SSH keys stored in the system, providing attackers with high-value credentials.
One of the most notable parts of this malware is its targeting of crypto wallets. The zip_additional_wallets() function specifically looks for directories associated with popular cryptocurrency wallets. The malware systematically searches for wallet files belonging to Bitcoin, Electrum, Coinomi, Exodus, and other major crypto wallets. Once identified, these wallet directories are zipped and stored in the temporary directory, ready for exfiltration.
The malware also includes specific functions for Telegram data theft. The backup_telegram() and backup_tdata() functions look for Telegram data directories, attempting to access messages, contacts, and media stored in the app. By copying these files, the malware may allow attackers to reconstruct the user’s Telegram communications and media history.
Exfiltration
After gathering sensitive information, Meme-Token-Hunter-Bot proceeds to exfiltrate the data to a remote server. This exfiltration is executed with a series of functions that handle file renaming, uploading, and notifying the attacker’s Telegram bot. The following code snippets illustrate how this process unfolds.
The function send_telegram_message sends a message to a pre-configured Telegram bot, alerting the attackers that a new batch of stolen files has been uploaded. This function ensures that the attackers receive timely updates on each exfiltration, allowing them to monitor the data theft process in real-time.
To further obfuscate its presence, the malware renames the stolen files with a .minecraft extension—an unusual trick likely meant to bypass basic network intrusion detection systems that monitor specific file types. Once renamed, upload_file initiates the data transfer to the attacker’s remote server. The file is opened in binary read mode and uploaded using requests.post() to https://store1.gofile[.]io/, a public file-sharing platform.
If the upload is successful (indicated by a 200 status code), the function retrieves the download link, which is then sent to the attacker via Telegram.
11 Additional Repositories: The Bigger Picture
During our investigation, we suspected that Meme-Token-Hunter-Bot might not be an isolated package. Using a targeted GitHub
Interestingly, while Meme-Token-Hunter-Bot has been around for 10 months, it only began incorporating malicious code in August 2024, when base_helper.py—the file responsible for downloading the Stage-2 Python stealer—was first introduced. The latest update to this file was made on September 28, 2024.
On the other hand, the 11 additional repositories received their malicious updates around two months ago, when base_helper.py was added. This coordinated timing suggests that these repositories were set up specifically to distribute the malware, building on the initial success and methods seen in Meme-Token-Hunter-Bot.
We also found Gatekeeper bypass instructions in several of these repositories, designed to guide users through bypassing macOS security warnings. The instructions were presented in a step-by-step visual format, encouraging users to right-click the application, select “Open,” and bypass Gatekeeper’s warning.
Additionally, among the 10 additional repositories identified, one variant named “Solana-Bot” stood out. While it follows the same malicious flow as Meme-Token-Hunter-Bot, we observed slight modifications, particularly in file names and function usage. A side-by-side diff analysis of Solana-Bot’s base_helper.py file and that of Meme-Token-Hunter-Bot highlights these differences.
The key distinctions between Solana-Bot and Meme-Token-Hunter-Bot include URL changes.
"aHR0cHM6Ly9jb2luc3cuYXBwL2Jhc2VjLw==" + "UENTQm90LnB5" = "https://coinsw.app/basec/PCSBot.py" <-- Solana-Bot
"aHR0cHM6Ly9jb2luc3cuYXBwL2Jhc2VjLw==" + "TUhUQm90LnB5" = "https://coinsw.app/basec/MHTBot.py"
Conclusion
This investigation into Meme-Token-Hunter-Bot and its related variants reveals a carefully orchestrated campaign targeting macOS users. Originally brought to light by Checkmarx, this stealer package initially disguised as a crypto tool has expanded into a broader threat. Our analysis uncovered 11 additional repositories, each containing slight variations of the original code. The attackers appear to have employed automation to rapidly generate these repositories, using minor modifications in names, UI labels, and functionality to evade detection and ensure persistent availability.
Nevertheless, we also observed familiar social engineering tactics aimed at macOS users, particularly the Gatekeeper bypass instructions. This indicates that threat actors still heavily rely on exploiting user trust. Despite the advanced techniques seen in this campaign, this reliance on user-assisted bypasses underscores the need for continued user education.
Awareness is the best defence. Resources such as the Moonlock blog
