ESET found malicious macOS cryptocurrency trading applications that copied or rebranded the legitimate Kattana app under names such as Licatrade and Cointrazer, continuing GMERA-style activity previously reported by Trend Micro. The trojanized bundles targeted cryptocurrency users by distributing fake trading apps from copycat websites, stealing browser cookies, cryptocurrency wallets, and screenshots while opening unencrypted reverse shells to attacker-controlled servers. The Licatrade sample reported victim details over HTTP to stepbystepby[.]com and attempted reverse-shell connections to 193.37.212[.]97 on ports including 25733 and 25734, with persistence attempted through a Launch Agent. Honeypot observations showed operators manually inspecting compromised Macs, collecting username, macOS version, location, hardware, display, and nearby Wi-Fi details before deciding whether the host was useful.