macOS.Bkdr.Activator is a multi-stage macOS malware campaign spread through cracked apps distributed via torrent sites, designed to infect users at scale. It patches legitimate cracked software, disables Gatekeeper, and uses Python-based payloads and DNS-based…
Tag: MACOS
Cyble researchers document updated Atomic Stealer (AMOS) versions spread via phishing sites posing as Mac apps, with new cookie-revival capabilities that target Google Chrome. The findings highlight a widening trend of InfoStealers adopting cookie revival and …
Cybercriminals are increasingly leveraging Traffic Distribution Systems (TDS) to facilitate their operations, allowing them to efficiently route victims to malicious content. This systematic research uncovers the complex web of affiliations among various actor…
We review a new macOS backdoor that piggybacks on cracked software to replace Bitcoin and Exodus wallets with malware.
Kuiper is a Go-based ransomware marketed as an easy-to-use, cross-platform kit by RobinHood, with a plan to offer operational help for a commission and a planned double-extortion leak site. Researchers uncovered that the sales hype overstated capabilities, and…
macOS threats are evolving, with a Python-based script targeting wallet apps Exodus and Bitcoin Core by replacing them with rogue equivalents. The malware exfiltrates system data, can execute commands from a C2 server, and uses Electron and AppleScript to impe…
Jamf Threat Labs uncovered pirated macOS apps backdoored with a dylib that downloads and executes payloads, secretly compromising the victim’s machine. The campaign shows ZuRu-like traits, including attacker infrastructure communications and persistence via La…
Atomic Stealer (AMOS) is a macOS-focused credential and file stealer that collects browser wallets, keychain items, system info, and user files, then archives and exfiltrates them to C2 servers. The latest AMOS version encrypts its strings with a custom XOR-ba…
Guardio Labs discovered a critical cross-platform zero-day in Opera’s My Flow feature that allowed a malicious extension to write and execute files on Windows and macOS by abusing a built-in high-permission extension. The issue relied on forgotten Opera-hosted…
macOS infostealers KeySteal, Atomic InfoStealer, and CherryPie continue to evolve, evading static signatures and expanding distribution methods. The article details how each family persists, hides its actions, and yields actionable indicators for threat hunter…
Atomic Stealer (AMOS) received a December 2023 update introducing payload encryption to evade detection and expanded distribution through malvertising and compromised sites targeting Mac users. The campaign included Google search ads impersonating Slack, redir…
This article explains how to perform .NET managed hooking with the open-source Harmony library, covering patch types (Prefix, Postfix, Transpiler, Reverse Patch), injection/bootstrapping via reflection or injectors, and examples of manual patching using Harmon…
SpectralBlur is a MacOS backdoor tracked as TA444 (Sapphire Sleet, BLUENOROFF, STARDUST CHOLLIMA) that researchers tie to SockRacket/KandyKorn and an early iteration of KANDYKORN, uncovered via domain investigations around pxaltonet.org and a dropped .macshare…
Infoblox’s DNS Early Detection Program swiftly identifies potentially harmful domains, notably recognizing the KandyKorn malware campaign from the Lazarus Group. The program highlights the critical need for rapid response against such threats, providing timely…
Xorbot is a stealthy, from-scratch botnet with strong concealment and encrypted C2 communications, designed to evade mainstream AV detection. It uses junk code to inflate its footprint, hides its persistence, and can perform DDoS attacks while maintaining a co…