Learn about ChillyHell, a modular Mac backdoor

Sept. 10, 2025, 8:12 p.m.

Description

ChillyHell is a sophisticated macOS backdoor discovered in 2021 that has evaded detection by antivirus vendors. It is a modular C++ malware targeting Intel architectures, using multiple persistence mechanisms and communication protocols. The backdoor performs host profiling, establishes persistence through LaunchAgents, LaunchDaemons, or shell profile injection, and communicates with command and control servers via DNS or HTTP. ChillyHell's modular structure allows for various capabilities, including reverse shell access, self-updating, payload execution, and local password cracking. The malware's flexibility, stealth techniques, and notarization status make it a significant threat in the macOS landscape.

External References

https://www.jamf.com/blog/chillyhell-a-modular-macos-backdoor/?nav=1
https://otx.alienvault.com/pulse/68c1a4c210fdbe8b2e7054b7
Tags
backdoor
dns
persistence
macos
modular
matanbuchus
c2
http
2025-09-10
password-cracking
notarized
chillyhell

Date

  • Created: Sept. 10, 2025, 4:18 p.m.
  • Published: Sept. 10, 2025, 4:18 p.m.
  • Modified: Sept. 10, 2025, 8:12 p.m.

Attack Patterns

  • UNC4487

Additional Informations

  • Government
  • Ukraine