Tag: macos

79 Attack Reports | 0 Vulnerabilities

Attack reports

Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor

A financially-motivated cybercrime cluster designated CL-CRI-1089 has launched Operation FlutterBridge, deploying FlutterShell backdoor malware targeting macOS systems through malvertising. Built with the Flutter framework, FlutterShell masquerades as legitimate applications including podcast playe…
backdoor
macos
google ads
jscorerunner
browser hijacking
calendaromatic
shell companies
2026-06-02
flutterbridge
fluttershell
javascript bridge
recipelister
Published: June 2, 2026
Downloadable IOCs: 9

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX …
social engineering
cryptocurrency
macos
supply chain attack
developer targeting
2026-05-28
audiofix
ci/cd hijacking
linkedin phishing
minirat
npm trojan
Published: May 28, 2026
Downloadable IOCs: 35

macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

A new variant of SHub Stealer dubbed 'Reaper' targets macOS users through fake WeChat and Miro installers, employing sophisticated multi-stage delivery chains that spoof Apple, Google, and Microsoft services. The malware leverages the applescript:// URL scheme to bypass Terminal-based defenses, con…
backdoor
social engineering
typosquatting
infostealer
macos
credential harvesting
cryptocurrency theft
amos
atomic macos stealer
shub stealer
persistence mechanism
2026-05-18
shub reaper
Published: May 18, 2026
Downloadable IOCs: 5

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When execu…
infostealer
macos
clickfix
applescript
shub stealer
2026-05-06
phantompulse
Published: May 6, 2026
Linked vulnerabilities : CVE-2026-31431
Downloadable IOCs: 28

Mach-O Man Malware: What CISOs Need to Know

Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called "Mach-O Man". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating …
social engineering
macos
credential theft
clickfix
telegram exfiltration
2026-04-22
browser stealing
fintech targeting
mach-o binaries
mach-o man
pylangghostrat
Published: April 22, 2026
Downloadable IOCs: 15

macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections

A sophisticated ClickFix campaign targets both Windows and macOS users through fake CAPTCHA pages that trick victims into executing malicious commands. The macOS variant deploys an AppleScript-based infostealer that harvests sensitive data including keychain databases, credentials, and session cook…
social engineering
infostealer
macos
credential harvesting
clickfix
applescript
session hijacking
cryptocurrency wallet theft
2026-04-21
browser data exfiltration
Published: April 21, 2026
Downloadable IOCs: 6

Dissecting macOS intrusion from lure to compromise

Microsoft Threat Intelligence uncovered a macOS-focused cyber campaign by North Korean threat actor Sapphire Sleet utilizing social engineering to compromise systems. The attack chain begins with a malicious AppleScript file disguised as a Zoom SDK update, which executes cascading payloads through …
social engineering
north korea
macos
credential harvesting
cryptocurrency theft
tcc bypass
applescript
2026-04-17
com.apple.cli
com.google.chromes.updaters
icloudz
sapphire sleet
services
softwareupdate.app
systemupdate.app
Published: April 17, 2026
Downloadable IOCs: 13

Stealer Campaign Impacting SLTT macOS Users

MacSync Stealer is a macOS infostealer operating as Malware-as-a-Service (MaaS), distributed through SEO poisoning and fake ClickFix CAPTCHAs. The campaign has evolved through three iterations since November 2025, shifting from fake download sites to malicious ChatGPT conversations and finally to s…
infostealer
seo poisoning
macos
clickfix
maas
macsync stealer
macsync
cryptocurrency wallet
2026-04-09
ledger trojanization
Published: April 9, 2026
Downloadable IOCs: 12

ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer

Jamf Threat Labs discovered a ClickFix-style macOS attack that abuses the applescript:// URL scheme to launch Script Editor and deliver an Atomic Stealer infostealer payload — bypassing Terminal entirely.
infostealer
macos
clickfix
applescript
2026-04-08
atomicstealer
Published: April 8, 2026
Downloadable IOCs: 4

Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka

A new macOS infostealer called Infiniti Stealer has been discovered, utilizing ClickFix delivery and Python/Nuitka compilation. The malware spreads through a fake CAPTCHA page, tricking users into running a command themselves. The final payload is a Python-based stealer compiled with Nuitka, making…
infostealer
macos
clickfix
2026-03-27
infiniti stealer
nuitka
Published: March 27, 2026
Linked vulnerabilities : CVE-2026-20963 (CVSS 8.8)
Downloadable IOCs: 2

ClickFix Campaigns Targeting Windows and macOS

Insikt Group identified five distinct clusters using the ClickFix social engineering technique for initial access. These clusters impersonate various services like Intuit QuickBooks and Booking.com, demonstrating operational variance but similar core techniques. ClickFix manipulates victims into ex…
obfuscation
social engineering
windows
macos
lumma stealer
vidar
redline stealer
clickfix
netsupport rat
initial access
lummastealer
living-off-the-land
odyssey stealer
macsync
2026-03-25
Published: March 25, 2026
Downloadable IOCs: 18

GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer

The GhostClaw malware campaign has expanded its distribution methods beyond npm packages to include GitHub repositories and AI-assisted development workflows. The attackers impersonate legitimate tools and utilize multi-stage payloads to steal credentials and retrieve additional malicious code. The…
credential-theft
macos
github
supply-chain-attack
2026-03-23
ghostclaw
ghostloader
Published: March 23, 2026
Downloadable IOCs: 16

Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets

A deceptive website impersonating CleanMyMac tricks users into installing SHub Stealer, a sophisticated macOS malware. The malware steals sensitive data, including passwords, browser data, cryptocurrency wallets, and Telegram sessions. It can also modify wallet apps to steal recovery phrases. The a…
infostealer
macos
atomic stealer
clickfix
browser data theft
applescript
odyssey stealer
macsync stealer
2026-03-09
shub stealer
Published: March 9, 2026
Downloadable IOCs: 3

New malicious npm package 'ambar-src' targets developers with open source malware

A malicious npm package named "ambar-src" reached 50,000 downloads in days before being removed from the registry. It uses a preinstall script to execute malicious code during installation, targeting Windows, Linux, and macOS systems. The package employs detection evasion techniques and deploys pow…
linux
windows
supply chain
macos
npm
open-source malware
detection evasion
2026-02-27
apfell
mythicagents
preinstall script
reverse_ssh
yandex cloud
Published: February 27, 2026
Downloadable IOCs: 6

Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer

A new campaign exploits OpenClaw skills to distribute the Atomic MacOS Stealer (AMOS). This evolution in supply chain attacks manipulates AI agentic workflows to install malware. The campaign spans multiple repositories with hundreds of malicious skills uploaded to ClawHub and SkillsMP. The infecti…
stealer
macos
amos
supply chain attack
atomic macos stealer (amos)
clawhub
openclaw
2026-02-23
ai manipulation
skillsmp
Published: February 23, 2026
Downloadable IOCs: 29

Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis

A sophisticated malware campaign targeting macOS users has been discovered, utilizing typosquatted domains impersonating the Homebrew package manager. The attack, dubbed ClickFix, exploits users' trust in command-line installation processes. Victims are tricked into executing malicious curl command…
typosquatting
infostealer
cryptocurrency
persistence
macos
cuckoo stealer
credential harvesting
c2
clickfix
2026-02-19
homebrew
Published: February 19, 2026
Linked vulnerabilities : CVE-2026-25253 (CVSS 8.8)
Downloadable IOCs: 5

The Curious Case of the Triton Malware Fork

A malicious fork of the MacOS app Triton was discovered on GitHub, containing Windows-targeted malware disguised as the legitimate application. The attacker modified the repository, redirecting download links to a ZIP file hosting the malware. Analysis revealed sophisticated evasion techniques, ant…
malware
windows
macos
open-source
github
triton
2026-02-19
code-hosting
fork
triton malware fork
Published: February 19, 2026
Downloadable IOCs: 3

Cryptocurrency Sector Targeted with New Tooling and AI-Enabled Social Engineering

North Korean threat actor UNC1069 has evolved its tactics to target the cryptocurrency and decentralized finance sectors. In a recent intrusion, they deployed seven unique malware families, including new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to capture host and victim data. The at…
malware
social engineering
north korea
cryptocurrency
macos
ai
web3
2026-02-09
chromepush
deepbreath
hiddencall
hypercall
silencelift
sugarloader
waveshaper
Published: February 9, 2026
Downloadable IOCs: 15

UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering

North Korean threat actor UNC1069 has evolved its tactics to target the cryptocurrency and decentralized finance sectors. In a recent intrusion, they deployed seven unique malware families, including new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to capture host and victim data. The at…
malware
social engineering
north korea
cryptocurrency
macos
ai
web3
2026-02-09
chromepush
deepbreath
hiddencall
hypercall
silencelift
sugarloader
waveshaper
Published: February 9, 2026
Downloadable IOCs: 15

Infostealers without borders: macOS, Python stealers, and platform abuse

Infostealer threats are expanding beyond Windows, targeting macOS and leveraging cross-platform languages like Python. Recent campaigns use social engineering to deploy macOS-specific infostealers such as DigitStealer, MacSync, and AMOS. These stealers use fileless execution and native macOS utilit…
social engineering
python
infostealer
macos
credential theft
atomic macos stealer
fileless execution
platform abuse
pxa stealer
eternidade stealer
macsync
2026-02-02
digitstealer
Published: February 2, 2026
Downloadable IOCs: 23

Weekly Threat Bulletin – January 28th, 2026

This weekly threat bulletin highlights several critical vulnerabilities and emerging threats. A severe RCE vulnerability in React Server Components and Next.js (CVE-2025-55182) is being actively exploited. CISA added four critical flaws to its 'Must-Patch' list, including vulnerabilities in Versa C…
ransomware
xmrig
cobalt strike
macos
mirai
sliver
gafgyt
qilin
cisa
interlock
rce
lizkebab
bashlite
aisuru
clop
vshell
next.js
CVE-2025-31125
CVE-2025-34026
pulsepack
rondodox
CVE-2025-54313
beacon
morte
CVE-2025-61882
oracle e-business suite
nezha
agenda
CVE-2025-55182
react
peerblight
etherrat
CVE-2025-68645
rondo
monetastealer
gitlab
2026-01-28
agendacrypt
angryrebel
bash0day
bpfdoor
compood
kswapdoor
lzrd
masuta
miori
noodle rat
okiru
puremasuta
resgod
rondobot
satori
scavenger
splinter
torlus
wicked
Published: January 28, 2026
Linked vulnerabilities : CVE-2025-24893 (CVSS 9.8), CVE-2023-1389, CVE-2025-31125 (CVSS 5.3), CVE-2025-34026 (CVSS 9.2), CVE-2025-54313 (CVSS 7.5), CVE-2025-61882 (CVSS 9.8), CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-55184 (CVSS 7.5), CVE-2025-55183 (CVSS 5.3), CVE-2025-68645 (CVSS 8.8), CVE-2025-13335 (CVSS 6.5), CVE-2025-13927 (CVSS 7.5), CVE-2025-13928 (CVSS 7.5), CVE-2026-0723 (CVSS 7.4), CVE-2026-1102 (CVSS 5.3)
Downloadable IOCs: 37

MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users

An active infostealer campaign is targeting macOS and Windows users across various sectors. The threat actors are using SEO poisoning to direct victims to fake GitHub repositories impersonating legitimate tools like PagerDuty. The campaign involves over 20 malicious repositories active since Septem…
windows
infostealer
seo poisoning
macos
github
applescript
macsync
2026-01-26
pagerduty
Published: January 26, 2026
Downloadable IOCs: 3

Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization

MacSync is a sophisticated macOS infostealer that targets cryptocurrency users. It is delivered through a phishing lure disguised as a cloud storage installer, tricking users into executing a malicious Terminal command. The malware employs a multi-stage infection process, using a script-based appro…
phishing
infostealer
cryptocurrency
macos
electron
2026-01-21
hardware wallet
macsync
trojanization
Published: January 21, 2026
Downloadable IOCs: 6

Threat Actors Expand Abuse of Microsoft Visual Studio Code

North Korean threat actors have evolved their techniques in the Contagious Interview campaign, now abusing Microsoft Visual Studio Code task configuration files. The infection chain begins when a victim opens a malicious Git repository, often disguised as part of a recruitment process. If trust is …
backdoor
macos
javascript
node.js
c2
github
contagious interview
visual studio code
2026-01-21
gitlab
Published: January 21, 2026
Downloadable IOCs: 8

Analyzing the MonetaStealer macOS Threat

Security researchers discovered a suspicious Mach-O binary masquerading as a Windows .exe file, named MonetaStealer. This PyInstaller-compiled malware targets macOS systems and is believed to be in early development. MonetaStealer focuses on stealing Chrome browser data, cryptocurrency wallet infor…
cryptocurrency
stealer
macos
telegram
ssh
pyinstaller
chrome
2026-01-19
keychain
monetastealer
wi-fi
Published: January 19, 2026
Linked vulnerabilities : CVE-2025-24277
Downloadable IOCs: 4

MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware

MacSync Stealer malware has evolved from using drag-to-terminal and ClickFix techniques to a more sophisticated approach. The new variant is delivered as a code-signed and notarized Swift application within a disk image, eliminating the need for direct terminal interaction. The malware retrieves an…
evasion
infostealer
macos
dropper
notarized
2025-12-23
code-signed
macsync stealer
odyssey infostealer
swift
Published: December 23, 2025
Downloadable IOCs: 11

AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat

A sophisticated malware campaign exploits user trust in AI platforms to deliver the AMOS stealer. Attackers use SEO poisoning to surface malicious ChatGPT and Grok conversations offering 'helpful' macOS disk cleanup advice. These conversations contain Terminal commands that, when executed, deploy A…
social engineering
stealer
persistence
macos
credential harvesting
chatgpt
amos
atomic macos stealer
seo manipulation
2025-12-10
ai-poisoning
grok
Published: December 10, 2025
Downloadable IOCs: 8

The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk

Bitsight researchers uncovered a significant security risk associated with calendar subscriptions, potentially affecting 4 million devices. Expired or hijacked domains hosting calendar subscriptions can be exploited for large-scale social engineering attacks. The research revealed two types of sync…
ios
social engineering
macos
cybersecurity
CVE-2025-27915
push notifications
2025-11-26
balada injector
calendar subscriptions
expired domains
Published: November 26, 2025
Linked vulnerabilities : CVE-2025-27915 (CVSS 5.4)
Downloadable IOCs: 7

macOS Malware Deploys in Fake Job Scams

A sophisticated malware campaign targeting macOS users has been discovered, involving fake job assessments and social engineering tactics. The FlexibleFerret malware, attributed to DPRK-aligned operators, uses multi-stage attacks to deploy on victims' systems. The campaign begins with JavaScript fi…
social engineering
macos
credential theft
multi-stage attack
flexibleferret
2025-11-26
golang backdoor
fake job scams
Published: November 26, 2025
Downloadable IOCs: 21

NovaStealer - Apple Intelligence is leaving a plist.. it is legit, right?

A cryptostealer for macOS utilizes a bash-based script to establish persistence and execute malicious modules. The malware installs itself in the ~/.mdrivers directory, uses screen sessions for background execution, and employs a LaunchAgent for persistence. It exfiltrates crypto wallet data, colle…
phishing
persistence
macos
bash
modular
2025-11-14
cryptostealer
novastealer
wallet-targeting
Published: November 14, 2025
Downloadable IOCs: 7

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It …
rat
phishing
infostealer
macos
remote access
clickfix
deerstealer
captcha
odyssey
2025-10-10
clipboard
iuam
clickfix generator
Published: October 10, 2025
Downloadable IOCs: 59

XCSSET evolves again: Analyzing the latest updates to XCSSET's inventory

A new variant of the XCSSET malware, designed to infect Xcode projects, has been identified with key changes in browser targeting, clipboard hijacking, and persistence mechanisms. This variant employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for steal…
persistence
macos
applescript
xcsset
xcode
firefox
clipboard hijacking
2025-09-25
browser targeting
launchdaemon
Published: September 25, 2025
Downloadable IOCs: 31

Fake Empire Podcast Invites Target Crypto Industry with macOS AMOS Stealer

A new phishing campaign is targeting crypto industry developers and influencers with fake interview requests impersonating the popular Empire podcast. Attackers pose as hosts, luring victims to fraudulent websites mimicking platforms like Streamyard and Huddle. These sites prompt users to download …
phishing
macos
crypto
amos stealer
2025-09-19
huddle
empire podcast
fake interviews
streamyard
Published: September 19, 2025
Downloadable IOCs: 7

Learn about ChillyHell, a modular Mac backdoor

ChillyHell is a sophisticated macOS backdoor discovered in 2021 that has evaded detection by antivirus vendors. It is a modular C++ malware targeting Intel architectures, using multiple persistence mechanisms and communication protocols. The backdoor performs host profiling, establishes persistence…
backdoor
dns
persistence
macos
modular
matanbuchus
c2
http
2025-09-10
password-cracking
notarized
chillyhell
Published: September 10, 2025
Downloadable IOCs: 0

An Analysis of the AMOS Stealer Campaign Targeting macOS via 'Cracked' Apps

This analysis examines a campaign distributing Atomic macOS Stealer (AMOS), targeting macOS users through fake 'cracked' applications. Attackers use two main delivery methods: malicious .dmg installers and terminal commands that bypass Gatekeeper protection. AMOS employs rotating domains to evade d…
social engineering
stealer
persistence
macos
data exfiltration
amos
atomic macos stealer
2025-09-04
cracked apps
gatekeeper bypass
Published: September 4, 2025
Downloadable IOCs: 0

Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique

Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websit…
phishing
social engineering
windows
macos
node.js
clickfix
beavertail
invisibleferret
2025-09-01
apt-q-1
Published: September 1, 2025
Downloadable IOCs: 18

Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure

A sophisticated phishing campaign targeting macOS users employs a technique called Clickfix, which tricks victims into running terminal commands that execute malicious AppleScript. This script steals sensitive data including browser profiles, crypto wallets, and personal files. The attackers use fa…
phishing
data theft
macos
clickfix
c2 infrastructure
applescript
2025-08-22
cryptowallet
terminal commands
Published: August 22, 2025
Downloadable IOCs: 0

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

The ClickFix social engineering technique has gained popularity among threat actors, targeting thousands of devices globally. It tricks users into executing malicious commands on their devices by exploiting their tendency to solve minor technical issues. The technique often impersonates legitimate …
obfuscation
screenconnect
phishing
social engineering
malvertising
infostealer
macos
darkgate
lumma stealer
latrodectus
remote access tool
mintsloader
atomic macos stealer (amos)
lampion
2025-08-21
windows run dialog
Published: August 21, 2025
Downloadable IOCs: 10

CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks

From September to December 2024, incidents involving CrossC2, an extension tool for Cobalt Strike Beacon on Linux, were confirmed. The attacker used CrossC2 along with other tools like PsExec, Plink, and Cobalt Strike to penetrate AD. A custom malware called ReadNimeLoader was used as a loader for …
linux
cobalt strike
macos
systembc
psexec
2025-08-15
readnimeloader
crossc2
ad
odinldr
Published: August 15, 2025
Downloadable IOCs: 0

Atomic macOS Stealer includes a backdoor for persistent access

The Atomic macOS Stealer (AMOS) has received a major update, now including an embedded backdoor for persistent access to compromised Mac devices. This upgrade allows attackers to maintain access, run remote tasks, and gain extended control over infected machines. The Russia-affiliated AMOS threat g…
backdoor
cryptocurrency
macos
data exfiltration
amos
atomic macos stealer
spear-phishing
spear phishing
command-and-control
persistent access
russia-affiliated
2025-07-10
2025-08-08
Published: August 8, 2025
Downloadable IOCs: 6

Odyssey Stealer Malware Attacks macOS Users

A phishing campaign targeting macOS users employs a ClickFix technique to deliver the Odyssey Stealer malware. The attack uses a fake CAPTCHA verification page that executes without dropping a binary on the system. When users follow the instructions, they unknowingly execute a malicious AppleScript…
phishing
macos
credential theft
clickfix
applescript
odyssey stealer
2025-08-07
crypto wallet
Published: August 7, 2025
Downloadable IOCs: 3

Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware

A new variant of the Odyssey infostealer for macOS has been discovered, featuring code signing, notarization, and a persistent backdoor. The malware mimics a Google Meet updater and uses a SwiftUI-based 'Technician Panel' for social engineering. It steals sensitive data, including passwords, browse…
backdoor
infostealer
cryptocurrency
persistence
macos
amos
2025-07-17
code-signing
notarization
odyssey
odyssey stealer
Published: July 17, 2025
Downloadable IOCs: 0

Crypto Wallets Continue to be Drained in Elaborate Social Media Scam

An ongoing social engineering campaign is targeting cryptocurrency users through fake startup companies impersonating AI, gaming, and Web3 firms. The scammers create elaborate facades using spoofed social media accounts and project documentation on platforms like Notion and GitHub. They contact vic…
malware
social engineering
impersonation
windows
cryptocurrency
macos
fake companies
atomic stealer
information stealer
realst
2025-07-16
Published: July 16, 2025
Downloadable IOCs: 1

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

A new variant of macOS.ZuRu malware has been discovered, targeting users through a trojanized version of the Termius app. This backdoor, initially noted in 2021, now uses a modified Khepri C2 framework for post-infection operations. The malware is delivered via a .dmg disk image containing a hacked…
backdoor
persistence
macos
trojan
2025-07-10
khepri
zuru
c2 beacon
khepri c2
termius
macos.zuru
Published: July 10, 2025
Downloadable IOCs: 4

macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism le…
cryptocurrency
macos
process injection
web3
applescript
websocket
2025-07-04
nimdoor
Published: July 4, 2025
Downloadable IOCs: 9

Hiding in GitHub

An AMOS malware campaign has been discovered utilizing GitHub repositories to distribute malicious files. The attackers created a fake Ledger Live app that prompts users to enter their secret phrases, which are then exfiltrated. The malware uses obfuscation techniques, including base64 encoding and…
obfuscation
cryptocurrency
stealer
macos
github
amos
ledger
2025-06-20
hardware-wallet
Published: June 20, 2025
Downloadable IOCs: 4

Inside the BlueNoroff Web3 macOS Intrusion Analysis

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom ext…
apt
social engineering
cryptocurrency
stealer
macos
dprk
process injection
web3
2025-06-19
root troy v4
injectwithdyld
xscreen
cryptobot
telegram 2
Published: June 19, 2025
Downloadable IOCs: 18

Additional Features of OtterCookie Malware Used by WaterPlum

The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new…
north korea
windows
cryptocurrency
stealer
macos
credential theft
beavertail
invisibleferret
ottercookie
2025-05-11
financial institutions
Published: May 11, 2025
Downloadable IOCs: 0

Typosquatted Go Packages Deliver Malware Loader Targeting Li...

A malicious campaign is targeting the Go ecosystem with typosquatted packages that install hidden loader malware on Linux and macOS systems. The threat actor has published at least seven packages impersonating popular Go libraries, using array-based string obfuscation to hide malicious commands. Th…
linux
obfuscation
typosquatting
macos
supply-chain-attack
2025-04-04
elf-malware
go-packages
f0eee999
Published: April 4, 2025
Downloadable IOCs: 0

Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants

ReaderUpdate, a macOS malware loader platform active since 2020, has evolved to include variants written in Crystal, Nim, Rust, and now Go programming languages. Originally a compiled Python binary, the malware has been largely dormant until late 2024. The loader is capable of executing remote comm…
malware
loader
persistence
macos
adware
rust
go
2025-03-26
nim
genieo
crystal
silver toucan
dolittle
wizardupdate
updateagent
readerupdate
Published: March 26, 2025
Downloadable IOCs: 12

New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects

Microsoft Threat Intelligence has discovered a new variant of XCSSET, a sophisticated macOS malware that infects Xcode projects. This latest version features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. The malware steals and exfiltrates files, system …
obfuscation
data theft
persistence
macos
modular
2025-03-11
xcsset
xcode
digital wallets
Published: March 11, 2025
Downloadable IOCs: 31

North Korean-Linked macOS Malware Targets Cryptocurrency Sector with RustDoor and Koi Stealer

A recent campaign attributed to North Korean threat actors has been identified, targeting macOS users in the cryptocurrency industry. The attackers employ sophisticated social engineering techniques, posing as recruiters to lure job-seeking software developers into downloading malicious software. T…
apt
macos
rust
2025-02-26
cryptocurrencies
koi stealer
studio helper
rustdoor c2
Published: February 26, 2025
Downloadable IOCs: 21

Stealers on the Rise: A Closer Look at a Growing macOS Threat

This analysis examines the increasing prevalence of macOS infostealers, focusing on three prominent threats: Atomic Stealer, Poseidon Stealer, and Cthulhu Stealer. These malware variants target sensitive information, including financial details, credentials, and intellectual property. The article d…
infostealer
macos
credential theft
data exfiltration
atomic stealer
cthulhu stealer
applescript
2025-02-04
poseidon stealer
Published: February 4, 2025
Downloadable IOCs: 26

macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed

This intelligence analysis describes newly discovered variants of the DPRK-attributed macOS Ferret malware family, labeled as 'FlexibleFerret'. The malware is part of the ongoing 'Contagious Interview' campaign targeting developers and job seekers. The new variants include a dropper package contain…
persistence
developers
macos
dropper
github
dprk
contagious interview
2025-02-04
friendlyferret_secd
flexibleferret
frostyferret_ui
chromeupdate
multi_frostyferret_cmdcodes
Published: February 4, 2025
Downloadable IOCs: 2

Unmasking SparkRAT: Detection & macOS Campaign Insights

SparkRAT, a versatile malware tool, continues to pose a significant threat due to its modular design and cross-platform support. Recent investigations have uncovered new infrastructure associated with a suspected DPRK campaign targeting macOS users. The analysis reveals techniques for detecting Spa…
xworm
macos
2025-01-31
Published: January 31, 2025
Downloadable IOCs: 0

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The year 2024 saw a significant increase in malware campaigns targeting macOS users in enterprise environments. Threats included infostealers disguised as business apps, sophisticated modular backdoors, and APT activities. Notable malware families included Amos Atomic infostealers, Backdoor Activat…
macos
2025-01-21
Published: January 21, 2025
Downloadable IOCs: 23

Banshee: The Stealer That "Stole Code" From MacOS XProtect

A new version of the Banshee macOS stealer, linked to Russian-speaking cybercriminals, has been monitored since September. This version went undetected for over two months, using a string encryption algorithm identical to Apple's XProtect antivirus engine. The malware targets browser credentials, c…
phishing
cryptocurrency
macos
lumma stealer
github
string encryption
banshee
2025-01-09
xprotect
Published: January 9, 2025
Downloadable IOCs: 25

Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows

A sophisticated scam targeting Web3 professionals has been identified, involving the Realst crypto stealer malware with variants for both macOS and Windows. The threat actors have created fake companies using AI-generated content to appear legitimate, cycling through various names like Meetio, Clus…
windows
macos
social-engineering
information theft
cross-platform
ai-generated content
web3
2024-12-07
meeten
electron application
crypto-stealer
realst
Published: December 7, 2024
Downloadable IOCs: 0

Fake AI video generators infect Windows, macOS with infostealers

Threat actors are using fake AI image and video generators to distribute Lumma Stealer and AMOS information-stealing malware on Windows and macOS. These malicious programs masquerade as an AI application called EditProAI, targeting users through search results and social media advertisements. The m…
social engineering
windows
infostealer
macos
lumma stealer
credential theft
ai
2024-11-16
deepfake
Published: November 16, 2024
Downloadable IOCs: 0

New threat targeting macOS discovered

Jamf Threat Labs uncovered malware samples linked to North Korea, built using Flutter, which provides inherent obfuscation. The malware, discovered in late October, includes Go, Python, and Flutter variants. The Flutter-built application presents a minesweeper game while making network requests to …
obfuscation
python
macos
golang
dprk
2024-11-13
applescript
stage-one-payload
flutter
Published: November 13, 2024
Downloadable IOCs: 0

BlueNoroff used macOS malware with novel persistence

SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign called 'Hidden Risk'. The attackers, linked to BlueNoroff, used fake cryptocurrency news emails and a malicious app disguised as a PDF to deliver multi-stag…
apt
phishing
north korea
cryptocurrency
persistence
macos
2024-11-08
lessonone
growth
Published: November 8, 2024
Downloadable IOCs: 0

Stealers on the rise: Kral, AMOS, Vidar and ACR

This intelligence report analyzes the increasing prevalence of information stealers, focusing on Kral, AMOS, Vidar, and ACR. Kral, delivered by its downloader, targets cryptocurrency wallets and browser data. AMOS, a macOS stealer, spreads through malvertising impersonating Homebrew. Vidar distribu…
cryptocurrency
macos
credential theft
vidar
data exfiltration
amos
aurora
2024-10-21
dll hijacking
information stealers
kral
penguish
acr
Published: October 21, 2024
Downloadable IOCs: 0

New macOS vulnerability, "HM Surf", could lead to unauthorized data access

A new macOS vulnerability called 'HM Surf' has been discovered that could allow attackers to bypass the Transparency, Consent, and Control (TCC) technology and gain unauthorized access to protected user data. The exploit involves removing TCC protection for the Safari browser directory and modifyin…
vulnerability
macos
adload
CVE-2024-44133
2024-10-18
privacy
safari
tcc bypass
hm surf
browser security
Published: October 18, 2024
Downloadable IOCs: 0

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
social engineering
powershell
windows
rhadamanthys
stealer
macos
infostealers
stealc
clickfix
2024-10-18
google meet
atomic
Published: October 18, 2024
Downloadable IOCs: 0

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining acce…
rat
cryptocurrency
macos
poolrat
pondrat
2024-09-19
applejeus
Published: September 19, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2024-3094
Downloadable IOCs: 16

New macOS malware gives attackers backdoor access to Macs

A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
backdoor
surveillance
rat
macos
malicious
hz rat
2024-09-16
Published: September 16, 2024
Downloadable IOCs: 25

A SOC Team’s Guide to Detecting macOS Atomic Stealers

This article provides an analysis of the Atomic Infostealer malware family, which has been targeting macOS users throughout 2024. It discusses the various evolving variants, such as Amos, Banshee, Cthulu, Poseidon, and RodrigoStealer, developed and distributed by competing threat actor groups. The …
malware
obfuscation
infostealer
macos
crimeware
poseidon
2024-09-13
rodrigostealer
cthulu
amos atomic
banshee
Published: September 13, 2024
Downloadable IOCs: 3

Atomic macOS Stealer leads sensitive data theft on macOS

The report discusses the Atomic macOS Stealer (AMOS), an infostealer malware targeting macOS systems. It is designed to steal sensitive information like passwords, cookies, cryptocurrency wallets, and other data from infected machines. The malware is distributed through malvertising, SEO poisoning,…
malvertising
infostealer
cryptocurrency
macos
2024-09-09
amos
atomic macos stealer
passwords
Published: September 9, 2024
Downloadable IOCs: 17

HZ Rat backdoor for macOS harvests data from WeChat and DingTalk

A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
backdoor
macos
trojan
2024-08-27
instant messengers
hz rat
dingtalk
wechat
openvpn
Published: August 27, 2024
Downloadable IOCs: 10

From the Depths: Analyzing the Cthulhu Stealer Malware for macOS

This report analyzes Cthulhu Stealer, a malware-as-a-service targeting macOS users to steal credentials and cryptocurrency wallets. It explores the malware's functionality, including prompting users for passwords, dumping keychain data, and exfiltrating stolen information. The analysis compares Cth…
cryptocurrency
stealer
macos
golang
atomic stealer
2024-08-23
maas
cthulhu stealer
Published: August 23, 2024
Downloadable IOCs: 9

TodoSwift Disguises Malware Download Behind Bitcoin PDF

This report details a macOS threat actor likely originating from North Korea that employs a dropper application written in Swift/SwiftUI. The dropper presents the user with a seemingly legitimate Bitcoin pricing PDF while simultaneously downloading and executing a malicious payload. The malware's t…
cryptocurrency
macos
dropper
2024-08-19
rustbucket
kandykorn
todoswift
Published: August 19, 2024
Downloadable IOCs: 7

Beyond the wail: deconstructing the BANSHEE infostealer

This analysis details the BANSHEE malware, a macOS-based infostealer that targets system information, browser data, and cryptocurrency wallets. Developed by Russian threat actors, it operates across macOS x86_64 and ARM64 architectures. The malware is designed to evade detection through anti-debugg…
infostealer
macos
2024-08-16
c++
banshee stealer
sysctl api
Published: August 16, 2024
Downloadable IOCs: 2

InfoStealer Uses SwiftUI, OpenDirectory API to Capture Passwords

This report analyzes a new macOS stealer malware that leverages SwiftUI for password prompts and the OpenDirectory API for verifying captured passwords. It utilizes APIs to evade detection and carries out malicious operations in distinct stages, first executing a Swift-based dropper that displays a…
infostealer
macos
dropper
2024-08-09
swiftui
cryptotrade
Published: August 9, 2024
Downloadable IOCs: 1

Fake Microsoft Teams for Mac delivers Atomic Stealer

A malvertising campaign lures Mac users into downloading a counterfeit Microsoft Teams installer containing Atomic Stealer, a data-stealing malware. The campaign uses advanced filtering techniques, compromised ad accounts, and decoy pages to deliver unique payloads that bypass security measures. Up…
malvertising
data theft
stealer
macos
adware
2024-07-12
atomic stealer
Published: July 12, 2024
Downloadable IOCs: 6

Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications

While monitoring data in Recorded Future Malware Intelligence, Insikt Group identified purported virtual meeting software called Vortax that, upon download and installation, delivers three information stealers (“infostealers”) in cross-platform attacks — Rhadamanthys, Stealc, and, most notably, Ato…
macos
c2
2024-06-20
Published: June 20, 2024
Downloadable IOCs: 60

LightSpy: Implant for macOS

A technical analysis reveals details about LightSpy, a sophisticated surveillance framework that targeted macOS devices using publicly available exploits. The report provides insights into the threat actor's tactics, including exploiting vulnerabilities to deliver implants, exfiltrating private dat…
lightspy
exploit
macos
2024-05-30
Published: May 30, 2024
Linked vulnerabilities : CVE-2018-4404, CVE-2018-4233
Downloadable IOCs: 43

macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge

This analysis discusses the emergence of a new macOS malware family called 'Cuckoo Stealer', which acts as an infostealer and spyware. It describes Cuckoo Stealer's main features, logic, and provides indicators of compromise to assist threat hunters and defenders. The malware employs techniques lik…
obfuscation
infostealer
persistence
macos
spyware
2024-05-05
2024-05-06
2024-05-07
2024-05-08
cuckoo stealer
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 4

macOS Adload Pivots Just Days After Apple’s XProtect Clampdown

The report analyzes a new variant of the Adload adware that evades Apple's recent XProtect malware signature updates. Despite Apple adding 74 new rules targeting Adload in XProtect version 2192, the adware authors have rapidly modified their code to bypass these detections. The report examines a sp…
evasion
macos
dropper
adware
apple
adload
Published: May 1, 2024
Downloadable IOCs: 11

LightSpy Malware Variant Targeting macOS

This report details the discovery of a macOS variant of the LightSpy malware, previously known to target iOS and Android devices. The macOS implant consists of a dropper that downloads and runs a core implant dylib, which in turn loads various plugins to accomplish malicious tasks. The report provi…
lightspy
macos
dropper
implant
plugins
Published: April 29, 2024
Downloadable IOCs: 12
Click here to see more Attack Reports