Table of Contents

Fake Adobe Zii On MacOS Steals Credit Card Info
Cyber Security /

Fake Adobe Zii On MacOS Steals Credit Card Info And Mines Monero

Just like technology, the cyber threats have become ubiquitous and becoming more aggressive with time. It is not new that cyber criminals work over different ways to attack your machine with malware. However, a recent incident was caught when a malware, posing to be Adobe Zii (a tool used to crack Adobe tools) was found stealing credit card information and mining Monero cryptocurrency over Mac OS systems. This is for sure is one of the most unusual ways to attack machines.

Img src: macdownload


Technical Analysis:

Upon scrutinizing its process, it was found that the malware comes on any target machine as ‘Adobe’ file, which upon execution uses the to begin the Bash script codes from Adobe\Contents\document.wflow.

Technical Analysis
IMG SRC: trendmicro


Must Read : Business Data Is Crucial: Keep It Safe!

When the copy of Adobe was launched, it was observed that it downloads from hxxp://46[.]226[.]108[.]171:80/, and saves it to the user directory ~/. Then, the contents are extracted and launched on the system. Here, it uses the original Adobe to camouflage its ill activities in the background.

The research team also reveals that the malware connects to  hxxps:// that  contains an encrypted Python script. This script checks the status of Little Snitch (a host-based application firewall for MacOS) status. If it’s found not active, the script then further connects to hxxp://46[.]226[.]108[.]171:4444/login/process.php.

How does fake Adobe Zii steals credit card info?

The consists of routines that are capable of identity theft from Google Chrome web browser. Target information includes origin URL, credit card, expiration date, username,and  password.

IMG SRC: trendmicro


The malware connects to hxxp://46[.]226[.]108[.]171/harmlesslittlecode[.]py and saves the Python script on your Mac at ~/Library/Application Support/Google/Chrome/Default. This script is used to display all the decrypted information from Google Chrome browser. Once the malware finds the desired data, it is collected as a .txt file and would be .zip-compressed along with Google Chrome cookies. The file then be saved as ~/Library/Application Support/Google/Chrome/Default/{username}.zip and simultaneously be uploaded to hxxp://46[.]226[.]108[.]171:8000.

Also Read : How To Bypass Credit Card & ATM Skimmers?

How does it mine the cryptocurrency?

The fake Adobe Zii malware downloads plist file from hxxp://46[.]226[.]108[.]171/com[.]apple[.]rig2[.]plist and stores it to ~/Library/LaunchAgents. This plist is used to run the xmrig2 to mine cryptocurrency.

The malware also downloads plist file from hxxp://46[.]226[.]108[.]171/com[.]apple[.]proxy[.]initialize[.]plist that contains Python commands that are similar to the one that checks the Little Snitch’s status and connects to the encrypted Empyre backend. To get it auto started, the plist files are loaded in the system through the launchctl command.

To mine the cryptocurrency, the malware connects to hxxp://46[.]226[.]108[.]171/xmrig2 and saves a file to /Users/Shared/xmrig2. The saved file works as a commandline app that is used to mine Monero specifically.


It uses below credentials to mine cryptocurrency on an infected machine.


Overall, the fake Adobe Zii may turn up to be an evil malware if it gets through your machine. It may collect all the information of your credit card and even ignite a mining process for Monero cryptocurrency. It is important that you keep your Mac machine intact with a dedicated anti malware for Mac and practice healthy browsing.


  1. Nathalia

    Hi! Great. I just got the so called free Photoshop from these 2 videos below, and I'm just realizing that I might have done something real stupid. Could you please gimme a hand? How do I know if it's safe? I saw someone mentioning something about AUTOMATOR and I did get that little dude sitting on my Aplications! I really suck at these things! Please gimme a hand? :-( kisses from Brazil!

    1. Preeti Seth

      Hello Nathalia, Regarding the problem, we suggest you do not click on the links that you suspect. If you find the information misleading never trust the site or video. Also, we suggest you run an updated anti-virus to stay safe from threats.

Leave a Reply

Your email address will not be published. Required fields are marked *