New CookieMiner Malware Targeting Macs and How to Remove It

Web Browser with This site Ahead Contains Malware Message. 3D illustration
CookieMiner is a newly detected malware capable of stealing personal information using stored login credentials on your browser.

Apple’s operating systems are rarely found to be vulnerable to malware attacks when compared to Windows.

However, the amount of malware targeting Macs is increasing, with a recently discovered Trojan, dubbed CookieMiner, proving to be a dangerous example.

According to cybersecurity experts, CookieMiner’s primary aim is to steal information which can then be used to bypass authentication checks when logging in to websites, specifically cryptocurrency wallets.

More About CookieMiner

CookieMiner is capable of stealing a range of information including Chrome passwords, credit card details, backed up iPhone text messages and perhaps most importantly, cookies from cryptocurrency websites that the user has accessed.

This gives the attacker the leverage needed to overcome the multi-factor authentication checks commonly utilized to secure logins by fooling the website into thinking that the user is logging in from a previously verified device.

The attacker then gains access to the user’s cryptocurrency wallets.

However, what’s potentially more concerning is CookieMiner’s use of this information to enable EmPyre, a post-exploitation agent.

This backdoor acts as a tool to send commands to the infected computer so hackers can control it remotely.

The effects of such tools can be far reaching as crypto-mining activity, despite often running undetected in the background, redirects the target computer’s resources rendering it slower and more vulnerable to further infection and increasing the speed at which it wears out.

In some cases, the crypto-mining activity can overload the computer, causing to slow down dramatically and potentially overheat.

Recently discovered by security researchers at Palo Alto Networks’ Unit 42, CookieMiner is thought to have stemmed from OSX.DarthMiner, a form of malware known to target Macs and iOS.

The crypto-mining tool delivered by CookieMiner goes about mining a Japanese Zcash-based digital currency called Koto.

Those familiar with cryptocurrencies may have expected the malware to target popular forms such as Bitcoin or Ethereum. However, the focus on Koto has given rise to the suspicion among cybersecurity experts that the malware may have its origins in Japan.

The Mechanism

CookieMiner is categorized as a Trojan, meaning it arrives in the form of a seemingly legitimate file or attachment, most frequently in the form of phishing emails disguised as an email from someone known to the user. However, it can also arrive through unofficial software downloads.

The malware utilizes a Python script together with decryption techniques taken from the open source version of Google Chrome, Google Chromium, in order to access credit card information, passwords and usernames. Meanwhile, the targeted device is harnessed for the mining of cryptocurrency.

How to Remove CookieMiner from Your System

Since the focus is on Mac operating systems, the first set of guidelines for the removal of CookieMiner will focus on how to remove the malware manually from Apple computers. This will first stop any activity the malware is engaged in and then focus on removing the program from your system forever.

Now you should move on to the web browsers on your computer one by one and remove the CookieMiner malware. It’s best to do this with your Wi-Fi connection turned off. You should still be able to access your browsers’ settings without an internet connection.

In most browsers like Safari and Chrome, the malware could be sitting within the Extensions tab of the browser.


  1. On Safari, go to the Preferences menu from the top left area. Go to Extensions and uninstall any programs you don’t recognize using the Uninstall button.

Safari extension tab

2. You should also go to the Privacy tab of your Safari settings and hit Remove All Website Data. Note: This will remove stored login data, so you’ll have to re-enter your username and password on accounts when you revisit them.

Safari privacy tab

3. Now go to General settings in Safari. Make sure your homepage is Google (or another website you know and trust). While you’re here, click Clear History.

Safari general tab

Repeat these actions for Chrome, Firefox and all other browsers on your computer that you use.

Whenever you are asked to restart the system, comply and then give one final restart to be sure you have gotten rid of the CookieMiner malware permanently.

After you’ve done this, run the antivirus program of your choice to remove any remaining traces of the malware.

Some General Precautions

Safely removing malware such as CookieMiner can be a lengthy process which may cost money as well as time. Preventing the arrival of such malicious programs is always the preferable option.

Having a good anti malware program, being extremely cautious of downloading programs from unofficial sources and strictly avoiding the temptation to open emails and email attachments from unknown senders alone can save your computer from being infected by viruses and malware.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.