{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/windshift-apt/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["WINDSHIFT APT"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["high"],"_cs_tags":["macos","url-scheme","apt"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe WINDSHIFT APT group is utilizing a novel infection mechanism to compromise macOS systems, observed as early as 2018. This method involves exploiting custom URL schemes, allowing for remote exploitation with limited user interaction. By crafting a malicious application that registers a custom URL scheme, attackers can trigger its execution when a user interacts with a specially crafted link (e.g., via a web page or email). This initial access can then be leveraged for further exploitation, such as bypassing System Integrity Protection (SIP) or dumping the keychain. This technique has been successfully used against government targets in the Middle East.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious application designed to register a custom URL scheme (e.g., \u003ccode\u003ewindshift://\u003c/code\u003e). This is done by modifying the application\u0026rsquo;s \u003ccode\u003eInfo.plist\u003c/code\u003e file to include the \u003ccode\u003eCFBundleURLTypes\u003c/code\u003e key with the custom URL scheme.\u003c/li\u003e\n\u003cli\u003eThe victim downloads or saves the malicious application to their file system.\u003c/li\u003e\n\u003cli\u003emacOS automatically registers the custom URL scheme when the application is saved to disk. This triggers an XPC message to the \u003ccode\u003elaunchservicesd\u003c/code\u003e daemon.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elaunchservicesd\u003c/code\u003e daemon parses the application\u0026rsquo;s \u003ccode\u003eInfo.plist\u003c/code\u003e file, extracts the custom URL scheme, and registers it in its database.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers a crafted link (e.g., via email or a web page) using the registered custom URL scheme (e.g., \u003ccode\u003e\u0026lt;a href=\u0026quot;windshift://payload\u0026quot;\u0026gt;Click here\u0026lt;/a\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the malicious link.\u003c/li\u003e\n\u003cli\u003eThe operating system consults its registered URL schemes and launches the malicious application.\u003c/li\u003e\n\u003cli\u003eThe malicious application executes arbitrary code, potentially downloading and installing further payloads, exfiltrating data, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to gain initial access to a macOS system. This can lead to the execution of arbitrary code, data exfiltration, and the installation of persistent backdoors. The WINDSHIFT APT group has successfully used this technique against government targets in the Middle East. If successful, this attack could result in the compromise of sensitive information, disruption of services, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for applications launched via custom URL schemes. Implement the \u003ccode\u003eDetect Suspicious Custom URL Scheme Execution\u003c/code\u003e Sigma rule to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eInspect application \u003ccode\u003eInfo.plist\u003c/code\u003e files for suspicious or unexpected \u003ccode\u003eCFBundleURLTypes\u003c/code\u003e entries, especially during software installation or updates.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks associated with clicking on untrusted links, even if they appear to be benign.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and auditing to capture details about process execution and file system changes.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of unsigned or untrusted applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T07:33:40Z","date_published":"2026-05-07T07:33:40Z","id":"/briefs/2024-01-windshift-mac-url-scheme/","summary":"The WINDSHIFT APT group is infecting Macs by abusing custom URL schemes, where advertising support for a custom URL scheme in an application's Info.plist causes the application to be automatically launched when a URL with that scheme is opened, allowing attackers to remotely compromise systems with minimal user interaction and creating an initial access vector.","title":"WINDSHIFT APT Abuses Custom URL Schemes for macOS Infection","url":"https://feed.craftedsignal.io/briefs/2024-01-windshift-mac-url-scheme/"}],"language":"en","title":"CraftedSignal Threat Feed — WINDSHIFT APT","version":"https://jsonfeed.org/version/1.1"}