Tag: macos

54 Attack Reports | 0 Vulnerabilities

Attack reports

MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware

MacSync Stealer malware has evolved from using drag-to-terminal and ClickFix techniques to a more sophisticated approach. The new variant is delivered as a code-signed and notarized Swift application within a disk image, eliminating the need for direct terminal interaction. The malware retrieves an…
evasion
infostealer
macos
dropper
notarized
2025-12-23
code-signed
macsync stealer
odyssey infostealer
swift
Published: December 23, 2025
Downloadable IOCs: 11

AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat

A sophisticated malware campaign exploits user trust in AI platforms to deliver the AMOS stealer. Attackers use SEO poisoning to surface malicious ChatGPT and Grok conversations offering 'helpful' macOS disk cleanup advice. These conversations contain Terminal commands that, when executed, deploy A…
social engineering
stealer
persistence
macos
credential harvesting
chatgpt
amos
atomic macos stealer
seo manipulation
2025-12-10
ai-poisoning
grok
Published: December 10, 2025
Downloadable IOCs: 8

The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk

Bitsight researchers uncovered a significant security risk associated with calendar subscriptions, potentially affecting 4 million devices. Expired or hijacked domains hosting calendar subscriptions can be exploited for large-scale social engineering attacks. The research revealed two types of sync…
ios
social engineering
macos
cybersecurity
CVE-2025-27915
push notifications
2025-11-26
balada injector
calendar subscriptions
expired domains
Published: November 26, 2025
Linked vulnerabilities : CVE-2025-27915 (CVSS 5.4)
Downloadable IOCs: 7

macOS Malware Deploys in Fake Job Scams

A sophisticated malware campaign targeting macOS users has been discovered, involving fake job assessments and social engineering tactics. The FlexibleFerret malware, attributed to DPRK-aligned operators, uses multi-stage attacks to deploy on victims' systems. The campaign begins with JavaScript fi…
social engineering
macos
credential theft
multi-stage attack
flexibleferret
2025-11-26
golang backdoor
fake job scams
Published: November 26, 2025
Downloadable IOCs: 21

NovaStealer - Apple Intelligence is leaving a plist.. it is legit, right?

A cryptostealer for macOS utilizes a bash-based script to establish persistence and execute malicious modules. The malware installs itself in the ~/.mdrivers directory, uses screen sessions for background execution, and employs a LaunchAgent for persistence. It exfiltrates crypto wallet data, colle…
phishing
persistence
macos
bash
modular
2025-11-14
cryptostealer
novastealer
wallet-targeting
Published: November 14, 2025
Downloadable IOCs: 7

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It …
rat
phishing
infostealer
macos
remote access
clickfix
deerstealer
captcha
odyssey
2025-10-10
clipboard
iuam
clickfix generator
Published: October 10, 2025
Downloadable IOCs: 59

XCSSET evolves again: Analyzing the latest updates to XCSSET's inventory

A new variant of the XCSSET malware, designed to infect Xcode projects, has been identified with key changes in browser targeting, clipboard hijacking, and persistence mechanisms. This variant employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for steal…
persistence
macos
applescript
xcsset
xcode
firefox
clipboard hijacking
2025-09-25
browser targeting
launchdaemon
Published: September 25, 2025
Downloadable IOCs: 31

Fake Empire Podcast Invites Target Crypto Industry with macOS AMOS Stealer

A new phishing campaign is targeting crypto industry developers and influencers with fake interview requests impersonating the popular Empire podcast. Attackers pose as hosts, luring victims to fraudulent websites mimicking platforms like Streamyard and Huddle. These sites prompt users to download …
phishing
macos
crypto
amos stealer
2025-09-19
huddle
empire podcast
fake interviews
streamyard
Published: September 19, 2025
Downloadable IOCs: 7

Learn about ChillyHell, a modular Mac backdoor

ChillyHell is a sophisticated macOS backdoor discovered in 2021 that has evaded detection by antivirus vendors. It is a modular C++ malware targeting Intel architectures, using multiple persistence mechanisms and communication protocols. The backdoor performs host profiling, establishes persistence…
backdoor
dns
persistence
macos
modular
matanbuchus
c2
http
2025-09-10
password-cracking
notarized
chillyhell
Published: September 10, 2025
Downloadable IOCs: 0

An Analysis of the AMOS Stealer Campaign Targeting macOS via 'Cracked' Apps

This analysis examines a campaign distributing Atomic macOS Stealer (AMOS), targeting macOS users through fake 'cracked' applications. Attackers use two main delivery methods: malicious .dmg installers and terminal commands that bypass Gatekeeper protection. AMOS employs rotating domains to evade d…
social engineering
stealer
persistence
macos
data exfiltration
amos
atomic macos stealer
2025-09-04
cracked apps
gatekeeper bypass
Published: September 4, 2025
Downloadable IOCs: 0

Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique

Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websit…
phishing
social engineering
windows
macos
node.js
clickfix
beavertail
invisibleferret
2025-09-01
apt-q-1
Published: September 1, 2025
Downloadable IOCs: 18

Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure

A sophisticated phishing campaign targeting macOS users employs a technique called Clickfix, which tricks victims into running terminal commands that execute malicious AppleScript. This script steals sensitive data including browser profiles, crypto wallets, and personal files. The attackers use fa…
phishing
data theft
macos
clickfix
c2 infrastructure
applescript
2025-08-22
cryptowallet
terminal commands
Published: August 22, 2025
Downloadable IOCs: 0

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

The ClickFix social engineering technique has gained popularity among threat actors, targeting thousands of devices globally. It tricks users into executing malicious commands on their devices by exploiting their tendency to solve minor technical issues. The technique often impersonates legitimate …
obfuscation
screenconnect
phishing
social engineering
malvertising
infostealer
macos
darkgate
lumma stealer
latrodectus
remote access tool
mintsloader
atomic macos stealer (amos)
lampion
2025-08-21
windows run dialog
Published: August 21, 2025
Downloadable IOCs: 10

CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks

From September to December 2024, incidents involving CrossC2, an extension tool for Cobalt Strike Beacon on Linux, were confirmed. The attacker used CrossC2 along with other tools like PsExec, Plink, and Cobalt Strike to penetrate AD. A custom malware called ReadNimeLoader was used as a loader for …
linux
cobalt strike
macos
systembc
psexec
2025-08-15
readnimeloader
crossc2
ad
odinldr
Published: August 15, 2025
Downloadable IOCs: 0

Atomic macOS Stealer includes a backdoor for persistent access

The Atomic macOS Stealer (AMOS) has received a major update, now including an embedded backdoor for persistent access to compromised Mac devices. This upgrade allows attackers to maintain access, run remote tasks, and gain extended control over infected machines. The Russia-affiliated AMOS threat g…
backdoor
cryptocurrency
macos
data exfiltration
amos
atomic macos stealer
spear-phishing
spear phishing
command-and-control
persistent access
russia-affiliated
2025-07-10
2025-08-08
Published: August 8, 2025
Downloadable IOCs: 6

Odyssey Stealer Malware Attacks macOS Users

A phishing campaign targeting macOS users employs a ClickFix technique to deliver the Odyssey Stealer malware. The attack uses a fake CAPTCHA verification page that executes without dropping a binary on the system. When users follow the instructions, they unknowingly execute a malicious AppleScript…
phishing
macos
credential theft
clickfix
applescript
odyssey stealer
2025-08-07
crypto wallet
Published: August 7, 2025
Downloadable IOCs: 3

Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware

A new variant of the Odyssey infostealer for macOS has been discovered, featuring code signing, notarization, and a persistent backdoor. The malware mimics a Google Meet updater and uses a SwiftUI-based 'Technician Panel' for social engineering. It steals sensitive data, including passwords, browse…
backdoor
infostealer
cryptocurrency
persistence
macos
amos
2025-07-17
code-signing
notarization
odyssey
odyssey stealer
Published: July 17, 2025
Downloadable IOCs: 0

Crypto Wallets Continue to be Drained in Elaborate Social Media Scam

An ongoing social engineering campaign is targeting cryptocurrency users through fake startup companies impersonating AI, gaming, and Web3 firms. The scammers create elaborate facades using spoofed social media accounts and project documentation on platforms like Notion and GitHub. They contact vic…
malware
social engineering
impersonation
windows
cryptocurrency
macos
fake companies
atomic stealer
information stealer
realst
2025-07-16
Published: July 16, 2025
Downloadable IOCs: 1

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

A new variant of macOS.ZuRu malware has been discovered, targeting users through a trojanized version of the Termius app. This backdoor, initially noted in 2021, now uses a modified Khepri C2 framework for post-infection operations. The malware is delivered via a .dmg disk image containing a hacked…
backdoor
persistence
macos
trojan
2025-07-10
khepri
zuru
c2 beacon
khepri c2
termius
macos.zuru
Published: July 10, 2025
Downloadable IOCs: 4

macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism le…
cryptocurrency
macos
process injection
web3
applescript
websocket
2025-07-04
nimdoor
Published: July 4, 2025
Downloadable IOCs: 9

Hiding in GitHub

An AMOS malware campaign has been discovered utilizing GitHub repositories to distribute malicious files. The attackers created a fake Ledger Live app that prompts users to enter their secret phrases, which are then exfiltrated. The malware uses obfuscation techniques, including base64 encoding and…
obfuscation
cryptocurrency
stealer
macos
github
amos
ledger
2025-06-20
hardware-wallet
Published: June 20, 2025
Downloadable IOCs: 4

Inside the BlueNoroff Web3 macOS Intrusion Analysis

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom ext…
apt
social engineering
cryptocurrency
stealer
macos
dprk
process injection
web3
2025-06-19
root troy v4
injectwithdyld
xscreen
cryptobot
telegram 2
Published: June 19, 2025
Downloadable IOCs: 18

Additional Features of OtterCookie Malware Used by WaterPlum

The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new…
north korea
windows
cryptocurrency
stealer
macos
credential theft
beavertail
invisibleferret
ottercookie
2025-05-11
financial institutions
Published: May 11, 2025
Downloadable IOCs: 0

Typosquatted Go Packages Deliver Malware Loader Targeting Li...

A malicious campaign is targeting the Go ecosystem with typosquatted packages that install hidden loader malware on Linux and macOS systems. The threat actor has published at least seven packages impersonating popular Go libraries, using array-based string obfuscation to hide malicious commands. Th…
linux
obfuscation
typosquatting
macos
supply-chain-attack
2025-04-04
elf-malware
go-packages
f0eee999
Published: April 4, 2025
Downloadable IOCs: 0

Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants

ReaderUpdate, a macOS malware loader platform active since 2020, has evolved to include variants written in Crystal, Nim, Rust, and now Go programming languages. Originally a compiled Python binary, the malware has been largely dormant until late 2024. The loader is capable of executing remote comm…
malware
loader
persistence
macos
adware
rust
go
2025-03-26
nim
genieo
crystal
silver toucan
dolittle
wizardupdate
updateagent
readerupdate
Published: March 26, 2025
Downloadable IOCs: 12

New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects

Microsoft Threat Intelligence has discovered a new variant of XCSSET, a sophisticated macOS malware that infects Xcode projects. This latest version features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. The malware steals and exfiltrates files, system …
obfuscation
data theft
persistence
macos
modular
2025-03-11
xcsset
xcode
digital wallets
Published: March 11, 2025
Downloadable IOCs: 31

North Korean-Linked macOS Malware Targets Cryptocurrency Sector with RustDoor and Koi Stealer

A recent campaign attributed to North Korean threat actors has been identified, targeting macOS users in the cryptocurrency industry. The attackers employ sophisticated social engineering techniques, posing as recruiters to lure job-seeking software developers into downloading malicious software. T…
apt
macos
rust
2025-02-26
cryptocurrencies
koi stealer
studio helper
rustdoor c2
Published: February 26, 2025
Downloadable IOCs: 21

Stealers on the Rise: A Closer Look at a Growing macOS Threat

This analysis examines the increasing prevalence of macOS infostealers, focusing on three prominent threats: Atomic Stealer, Poseidon Stealer, and Cthulhu Stealer. These malware variants target sensitive information, including financial details, credentials, and intellectual property. The article d…
infostealer
macos
credential theft
data exfiltration
atomic stealer
cthulhu stealer
applescript
2025-02-04
poseidon stealer
Published: February 4, 2025
Downloadable IOCs: 26

macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed

This intelligence analysis describes newly discovered variants of the DPRK-attributed macOS Ferret malware family, labeled as 'FlexibleFerret'. The malware is part of the ongoing 'Contagious Interview' campaign targeting developers and job seekers. The new variants include a dropper package contain…
persistence
developers
macos
dropper
github
dprk
contagious interview
2025-02-04
friendlyferret_secd
flexibleferret
frostyferret_ui
chromeupdate
multi_frostyferret_cmdcodes
Published: February 4, 2025
Downloadable IOCs: 2

Unmasking SparkRAT: Detection & macOS Campaign Insights

SparkRAT, a versatile malware tool, continues to pose a significant threat due to its modular design and cross-platform support. Recent investigations have uncovered new infrastructure associated with a suspected DPRK campaign targeting macOS users. The analysis reveals techniques for detecting Spa…
xworm
macos
2025-01-31
Published: January 31, 2025
Downloadable IOCs: 0

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The year 2024 saw a significant increase in malware campaigns targeting macOS users in enterprise environments. Threats included infostealers disguised as business apps, sophisticated modular backdoors, and APT activities. Notable malware families included Amos Atomic infostealers, Backdoor Activat…
macos
2025-01-21
Published: January 21, 2025
Downloadable IOCs: 23

Banshee: The Stealer That "Stole Code" From MacOS XProtect

A new version of the Banshee macOS stealer, linked to Russian-speaking cybercriminals, has been monitored since September. This version went undetected for over two months, using a string encryption algorithm identical to Apple's XProtect antivirus engine. The malware targets browser credentials, c…
phishing
cryptocurrency
macos
lumma stealer
github
string encryption
banshee
2025-01-09
xprotect
Published: January 9, 2025
Downloadable IOCs: 25

Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows

A sophisticated scam targeting Web3 professionals has been identified, involving the Realst crypto stealer malware with variants for both macOS and Windows. The threat actors have created fake companies using AI-generated content to appear legitimate, cycling through various names like Meetio, Clus…
windows
macos
social-engineering
information theft
cross-platform
ai-generated content
web3
2024-12-07
meeten
electron application
crypto-stealer
realst
Published: December 7, 2024
Downloadable IOCs: 0

Fake AI video generators infect Windows, macOS with infostealers

Threat actors are using fake AI image and video generators to distribute Lumma Stealer and AMOS information-stealing malware on Windows and macOS. These malicious programs masquerade as an AI application called EditProAI, targeting users through search results and social media advertisements. The m…
social engineering
windows
infostealer
macos
lumma stealer
credential theft
ai
2024-11-16
deepfake
Published: November 16, 2024
Downloadable IOCs: 0

New threat targeting macOS discovered

Jamf Threat Labs uncovered malware samples linked to North Korea, built using Flutter, which provides inherent obfuscation. The malware, discovered in late October, includes Go, Python, and Flutter variants. The Flutter-built application presents a minesweeper game while making network requests to …
obfuscation
python
macos
golang
dprk
2024-11-13
applescript
stage-one-payload
flutter
Published: November 13, 2024
Downloadable IOCs: 0

BlueNoroff used macOS malware with novel persistence

SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign called 'Hidden Risk'. The attackers, linked to BlueNoroff, used fake cryptocurrency news emails and a malicious app disguised as a PDF to deliver multi-stag…
apt
phishing
north korea
cryptocurrency
persistence
macos
2024-11-08
lessonone
growth
Published: November 8, 2024
Downloadable IOCs: 0

Stealers on the rise: Kral, AMOS, Vidar and ACR

This intelligence report analyzes the increasing prevalence of information stealers, focusing on Kral, AMOS, Vidar, and ACR. Kral, delivered by its downloader, targets cryptocurrency wallets and browser data. AMOS, a macOS stealer, spreads through malvertising impersonating Homebrew. Vidar distribu…
cryptocurrency
macos
credential theft
vidar
data exfiltration
amos
aurora
2024-10-21
dll hijacking
information stealers
kral
penguish
acr
Published: October 21, 2024
Downloadable IOCs: 0

New macOS vulnerability, "HM Surf", could lead to unauthorized data access

A new macOS vulnerability called 'HM Surf' has been discovered that could allow attackers to bypass the Transparency, Consent, and Control (TCC) technology and gain unauthorized access to protected user data. The exploit involves removing TCC protection for the Safari browser directory and modifyin…
vulnerability
macos
adload
CVE-2024-44133
2024-10-18
privacy
safari
tcc bypass
hm surf
browser security
Published: October 18, 2024
Downloadable IOCs: 0

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
social engineering
powershell
windows
rhadamanthys
stealer
macos
infostealers
stealc
clickfix
2024-10-18
google meet
atomic
Published: October 18, 2024
Downloadable IOCs: 0

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining acce…
rat
cryptocurrency
macos
poolrat
pondrat
2024-09-19
applejeus
Published: September 19, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2024-3094
Downloadable IOCs: 16

New macOS malware gives attackers backdoor access to Macs

A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
backdoor
surveillance
rat
macos
malicious
hz rat
2024-09-16
Published: September 16, 2024
Downloadable IOCs: 25

A SOC Team’s Guide to Detecting macOS Atomic Stealers

This article provides an analysis of the Atomic Infostealer malware family, which has been targeting macOS users throughout 2024. It discusses the various evolving variants, such as Amos, Banshee, Cthulu, Poseidon, and RodrigoStealer, developed and distributed by competing threat actor groups. The …
malware
obfuscation
infostealer
macos
crimeware
poseidon
2024-09-13
rodrigostealer
cthulu
amos atomic
banshee
Published: September 13, 2024
Downloadable IOCs: 3

Atomic macOS Stealer leads sensitive data theft on macOS

The report discusses the Atomic macOS Stealer (AMOS), an infostealer malware targeting macOS systems. It is designed to steal sensitive information like passwords, cookies, cryptocurrency wallets, and other data from infected machines. The malware is distributed through malvertising, SEO poisoning,…
malvertising
infostealer
cryptocurrency
macos
2024-09-09
amos
atomic macos stealer
passwords
Published: September 9, 2024
Downloadable IOCs: 17

HZ Rat backdoor for macOS harvests data from WeChat and DingTalk

A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
backdoor
macos
trojan
2024-08-27
instant messengers
hz rat
dingtalk
wechat
openvpn
Published: August 27, 2024
Downloadable IOCs: 10

From the Depths: Analyzing the Cthulhu Stealer Malware for macOS

This report analyzes Cthulhu Stealer, a malware-as-a-service targeting macOS users to steal credentials and cryptocurrency wallets. It explores the malware's functionality, including prompting users for passwords, dumping keychain data, and exfiltrating stolen information. The analysis compares Cth…
cryptocurrency
stealer
macos
golang
atomic stealer
2024-08-23
maas
cthulhu stealer
Published: August 23, 2024
Downloadable IOCs: 9

TodoSwift Disguises Malware Download Behind Bitcoin PDF

This report details a macOS threat actor likely originating from North Korea that employs a dropper application written in Swift/SwiftUI. The dropper presents the user with a seemingly legitimate Bitcoin pricing PDF while simultaneously downloading and executing a malicious payload. The malware's t…
cryptocurrency
macos
dropper
2024-08-19
rustbucket
kandykorn
todoswift
Published: August 19, 2024
Downloadable IOCs: 7

Beyond the wail: deconstructing the BANSHEE infostealer

This analysis details the BANSHEE malware, a macOS-based infostealer that targets system information, browser data, and cryptocurrency wallets. Developed by Russian threat actors, it operates across macOS x86_64 and ARM64 architectures. The malware is designed to evade detection through anti-debugg…
infostealer
macos
2024-08-16
c++
banshee stealer
sysctl api
Published: August 16, 2024
Downloadable IOCs: 2

InfoStealer Uses SwiftUI, OpenDirectory API to Capture Passwords

This report analyzes a new macOS stealer malware that leverages SwiftUI for password prompts and the OpenDirectory API for verifying captured passwords. It utilizes APIs to evade detection and carries out malicious operations in distinct stages, first executing a Swift-based dropper that displays a…
infostealer
macos
dropper
2024-08-09
swiftui
cryptotrade
Published: August 9, 2024
Downloadable IOCs: 1

Fake Microsoft Teams for Mac delivers Atomic Stealer

A malvertising campaign lures Mac users into downloading a counterfeit Microsoft Teams installer containing Atomic Stealer, a data-stealing malware. The campaign uses advanced filtering techniques, compromised ad accounts, and decoy pages to deliver unique payloads that bypass security measures. Up…
malvertising
data theft
stealer
macos
adware
2024-07-12
atomic stealer
Published: July 12, 2024
Downloadable IOCs: 6

Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications

While monitoring data in Recorded Future Malware Intelligence, Insikt Group identified purported virtual meeting software called Vortax that, upon download and installation, delivers three information stealers (“infostealers”) in cross-platform attacks — Rhadamanthys, Stealc, and, most notably, Ato…
macos
c2
2024-06-20
Published: June 20, 2024
Downloadable IOCs: 60

LightSpy: Implant for macOS

A technical analysis reveals details about LightSpy, a sophisticated surveillance framework that targeted macOS devices using publicly available exploits. The report provides insights into the threat actor's tactics, including exploiting vulnerabilities to deliver implants, exfiltrating private dat…
lightspy
exploit
macos
2024-05-30
Published: May 30, 2024
Linked vulnerabilities : CVE-2018-4404, CVE-2018-4233
Downloadable IOCs: 43

macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge

This analysis discusses the emergence of a new macOS malware family called 'Cuckoo Stealer', which acts as an infostealer and spyware. It describes Cuckoo Stealer's main features, logic, and provides indicators of compromise to assist threat hunters and defenders. The malware employs techniques lik…
obfuscation
infostealer
persistence
macos
spyware
2024-05-05
2024-05-06
2024-05-07
2024-05-08
cuckoo stealer
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 4

macOS Adload Pivots Just Days After Apple’s XProtect Clampdown

The report analyzes a new variant of the Adload adware that evades Apple's recent XProtect malware signature updates. Despite Apple adding 74 new rules targeting Adload in XProtect version 2192, the adware authors have rapidly modified their code to bypass these detections. The report examines a sp…
evasion
macos
dropper
adware
apple
adload
Published: May 1, 2024
Downloadable IOCs: 11

LightSpy Malware Variant Targeting macOS

This report details the discovery of a macOS variant of the LightSpy malware, previously known to target iOS and Android devices. The macOS implant consists of a dropper that downloads and runs a core implant dylib, which in turn loads various plugins to accomplish malicious tasks. The report provi…
lightspy
macos
dropper
implant
plugins
Published: April 29, 2024
Downloadable IOCs: 12
Click here to see more Attack Reports