S0492: CookieMiner
CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.[1]
Analyst context for executives and security teams
CookieMiner matters because it combines macOS endpoint compromise with theft of cryptocurrency-exchange-related information, browser/session material, and local compute abuse for cryptocurrency mining. For leaders, the risk is not only a single infected Mac; it is whether the organization can see credential and session-cookie theft, persistence through macOS Launch Agents, suspicious scripting, outbound data movement, and resource hijacking before they affect users or business operations.
Executive priority
Prioritize this as a macOS identity-and-endpoint readiness test. The ATT&CK relationships tie CookieMiner to credential access, collection, exfiltration, persistence, defense impairment, and compute hijacking. Executives should ask whether macOS systems have equivalent monitoring and response coverage to Windows systems, whether browser-stored credentials and session cookies are protected, and whether incident responders can quickly determine if stolen session material or local files require account/session revocation and broader containment.
Technical view
CookieMiner is a macOS malware entry with no official ATT&CK detection text, so validation should be relationship-driven. SOC and IR teams should test visibility for Unix shell and Python execution, obfuscated commands, decode/deobfuscation activity, local file and directory discovery, access to browser credential or cookie stores, Launch Agent persistence, inbound tool transfer, firewall modification, unencrypted outbound exfiltration, security software discovery, and compute-resource abuse consistent with cryptocurrency mining. Detection engineering should correlate these behaviors on macOS rather than relying on any single indicator.
Likely telemetry
- macOS endpoint process execution with command-line arguments for Unix shells and Python
- File system events for browser credential stores, cookies, local databases, configuration files, and user directories
- Creation or modification of Launch Agent .plist files in macOS LaunchAgents paths
- Network egress metadata and proxy/DNS/HTTP/FTP logs for unusual outbound transfers over unencrypted protocols
- Download or file-transfer events indicating ingress tool transfer
Detection direction
- Validate that macOS EDR/logging captures full process lineage and command lines for shell and Python activity, including obfuscated or encoded command patterns.
- Monitor for unusual access to browser cookie and credential storage locations, especially when paired with file discovery, scripting, or outbound network activity.
- Alert on Launch Agent creation or modification outside expected software installation and administration workflows.
- Correlate unencrypted outbound transfers with prior local collection or browser-store access; tune for legitimate administrative scripts and developer tooling.
- Look for firewall rule or service changes on macOS hosts, especially when followed by new outbound communication.
Mitigation priorities
- Ensure macOS endpoints are included in managed detection, incident response playbooks, and compliance evidence collection.
- Reduce exposure from browser-stored credentials and long-lived web sessions through identity governance, session management, and credential-handling policy appropriate to the environment.
- Restrict and monitor persistence paths such as Launch Agents, and review software installation/admin workflows that legitimately modify them.
- Apply least-privilege controls so users and malware have less ability to alter firewall settings, persistence locations, or security tooling.
- Strengthen egress monitoring and control for unencrypted protocols used outside approved business patterns.
Analyst notes and limits
The object’s official description identifies CookieMiner as macOS malware targeting cryptocurrency-exchange-related information and enabling cryptocurrency mining. The practical defensive picture comes mainly from its ATT&CK relationships, which span execution, discovery, credential access, collection, exfiltration, persistence, defense impairment, command-and-control, stealth, and impact behaviors.
MITRE provides no official detection text, no aliases, no labels, and no top-level tactics for this object. This take does not assert current active exploitation, attribution, or existing detection coverage. Local validation is required to determine whether the organization collects the telemetry needed to detect these behaviors on macOS.
CookieMiner
CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | CookieMiner can steal saved usernames and passwords in Chrome as well as credit card credentials.CitationUnit42 CookieMiner Jan 2019 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | CookieMiner has used the |
| Enterprise | T1496.001 | Compute Hijacking Sub-technique | CookieMiner has loaded coinmining software onto systems to mine for Koto cryptocurrency. CitationUnit42 CookieMiner Jan 2019 |
| Enterprise | T1539 | Steal Web Session Cookie | CookieMiner can steal Google Chrome and Apple Safari browser cookies from the victim’s machine. CitationUnit42 CookieMiner Jan 2019 |
| Enterprise | T1686 | Disable or Modify System Firewall | CookieMiner has checked for the presence of "Little Snitch", macOS network monitoring and application firewall software, stopping and exiting if it is found.CitationUnit42 CookieMiner Jan 2019 |
| Enterprise | T1083 | File and Directory Discovery | CookieMiner has looked for files in the user's home directory with "wallet" in their name using |
| Enterprise | T1105 | Ingress Tool Transfer | CookieMiner can download additional scripts from a web server.CitationUnit42 CookieMiner Jan 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | CookieMiner has used Google Chrome's decryption and extraction operations.CitationUnit42 CookieMiner Jan 2019 |
| Enterprise | T1005 | Data from Local System | CookieMiner has retrieved iPhone text messages from iTunes phone backup files.CitationUnit42 CookieMiner Jan 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | CookieMiner has checked for the presence of "Little Snitch", macOS network monitoring and application firewall software, stopping and exiting if it is found.CitationUnit42 CookieMiner Jan 2019 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | CookieMiner has used base64 encoding to obfuscate scripts on the system.CitationUnit42 CookieMiner Jan 2019 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | CookieMiner has used a Unix shell script to run a series of commands targeting macOS.CitationUnit42 CookieMiner Jan 2019 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.CitationUnit42 CookieMiner Jan 2019 |
| Enterprise | T1059.006 | Python Sub-technique | CookieMiner has used python scripts on the user’s system, as well as the Python variant of the Empire agent, EmPyre.CitationUnit42 CookieMiner Jan 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f8e55bc88baf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit42 CookieMiner Jan 2019
Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
Open source URL -
[2]
mitre-attack S0492Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.