Apple

Operation FlutterBridge is a malvertising campaign targeting macOS users with the new FlutterShell backdoor, which uses malicious desktop applications for adware distribution and provides backdoor capabilities such as command execution and file system manipulation, with some variants using AI summarization for data exfiltration.

A remote, anonymous attacker can exploit multiple vulnerabilities in Apple macOS to gain root privileges, execute arbitrary code, cause a denial-of-service condition, disclose confidential information, modify data, or bypass security measures.

Adversaries may attempt to bypass macOS privacy controls by directly modifying the Transparency, Consent, and Control (TCC) SQLite database using sqlite3, potentially gaining unauthorized access to sensitive resources.

A rapidly growing Chinese-language PhaaS ecosystem is shifting towards real-time interception of credentials and tokenization of stolen payment data, bypassing traditional SMS security filters with encrypted channels like RCS and iMessage, and employing AI-based automation to evade detection.

The SHub Reaper stealer combines credential theft, wallet hijacking, and document exfiltration with persistent backdoor access on macOS, distributed through fake WeChat and Miro installers while spoofing Apple, Google, and Microsoft to evade detection.

A type confusion vulnerability exists in Apple Safari, as detailed in CVE-2024-23222. A public exploit demonstrates successful exploitation of the vulnerability on iOS 16.4.1, leading to a sandbox escape, which has been patched in iOS 17.3 and macOS 14.3.

A remote, anonymous attacker can exploit multiple vulnerabilities in CUPS to execute arbitrary program code with the privileges of the service and to disclose information.

A new variant of the 'SHub' macOS infostealer, dubbed Reaper, uses AppleScript to display a fake security update message and install a backdoor, ultimately stealing browser data, financial documents, and cryptocurrency wallet information while bypassing Terminal-based mitigations in macOS.

The Q1 2026 mobile threat landscape saw a decrease in overall attack volume driven by reduced adware and RiskTool detections, while the number of unique users targeted remained stable, with new SparkCat variants on app stores and increased banking Trojan and Triada backdoor activity.

The Atomic macOS Stealer (AMOS) is a prevalent malware-as-a-service targeting macOS, distributed via social engineering techniques like ClickFix ruses and fake installers, designed to steal sensitive data such as credentials and cryptocurrency wallets, leading to potential account compromise and further attacks.

Multiple vulnerabilities in Apple products could allow an attacker to execute arbitrary code, escalate privileges, and compromise data confidentiality.

Multiple vulnerabilities exist in Apple macOS Sonoma, macOS Sequoia, and macOS Tahoe that could allow an attacker to elevate privileges, conduct a denial-of-service attack, disclose information, execute arbitrary code, and bypass security measures.

Multiple vulnerabilities in Apple macOS allow an attacker to bypass security measures, conduct denial of service attacks, disclose information, manipulate files, and escalate privileges.

This rule identifies suspicious child processes of Microsoft Office applications on macOS, which often result from exploitation or malicious macros, by detecting unexpected processes like curl, bash, osascript, and python spawned by Office apps, while filtering out false positives related to product version discovery, error reporting, and legitimate software.

Attackers are using Google Ads malvertising and weaponized Claude.ai shared chats to trick macOS users into downloading and executing malware, leading to credential theft and system compromise.

The WINDSHIFT APT group is infecting Macs by abusing custom URL schemes, where advertising support for a custom URL scheme in an application's Info.plist causes the application to be automatically launched when a URL with that scheme is opened, allowing attackers to remotely compromise systems with minimal user interaction and creating an initial access vector.

A Mac adware, likely a component of OSX.Pirrit, uses multiple layers of obfuscation, including base64 encoding, zlib compression, and variable renaming, to evade detection and inject malicious JavaScript from hxxps://1049434604.rsc.cdn77.org/ij1.min.js.

Adware Doctor, a popular app available on the Mac App Store, surreptitiously steals user's browsing history from Safari and Chrome, compresses the data into a password-protected zip archive, and exfiltrates it to a remote server.

A local attacker can exploit a vulnerability in CUPS to execute arbitrary program code with administrator privileges on Linux and macOS systems.

Apple's App Translocation in macOS v10.12 mitigates Gatekeeper bypasses (CVE-2015-3715, CVE-2015-7024) by creating a read-only DMG, impacting applications accessing external resources.

A race condition vulnerability (CVE-2019-8565) exists in macOS where a privileged XPC service, com.apple.appleseed.fbahelperd, improperly validates XPC messages based on process ID, allowing an unprivileged process to escalate privileges to root.

A Firefox 0-day exploit was used to target Mac users, dropping a second backdoor identified as a new variant of the cross-platform Mokes malware (OSX.Mokes.B) with screen capture, audio capture, and document exfiltration capabilities.

The ToTok iOS application, developed by Breej Holding Ltd., was identified as a spying tool used by the government of the United Arab Emirates (UAE) to track users' conversations, movements, and relationships by collecting sensitive user data and transmitting it to servers using self-signed certificates.

OSX/CreativeUpdater is a macOS cryptominer distributed through compromised download links on the MacUpdate website, using a trojanized application bundle to execute a script that downloads and installs a persistent Monero miner using launch agents.

A vulnerability in macOS Mojave allows sandboxed applications to bypass sandbox restrictions and surreptitiously monitor user activities by registering for distributed notifications by name, circumventing intended privacy protections.

CVE-2017-7170 is a local privilege escalation vulnerability in macOS stemming from insecure use of the `AuthorizationExecuteWithPrivileges` API, allowing unprivileged users to execute arbitrary code as root by sniffing authorization references.

macOS is vulnerable to synthetic mouse event attacks, allowing threat actors to bypass security mechanisms and interact with protected UI components to perform unauthorized actions like dumping keychains and loading kernel extensions.

The Lazarus Group is distributing a new variant of the Dacls RAT targeting macOS systems via a trojanized application, installing a hidden executable and attempting persistence.

macOS Mojave beta's new privacy controls can be bypassed by exploiting the entitlements of trusted applications like QuickTime Player via AppleScript to access the webcam and microphone without user consent.

Analysis of Mac malware from 2016 including KeRanger ransomware, Keydnap backdoor and credential stealer, and the Eleanor PHP-based backdoor, highlighting their infection vectors and persistence mechanisms.

The 'Calendar 2' application, available on the official Mac App Store, was found to surreptitiously mine cryptocurrency on users' Macs, utilizing the 'xmr-stak' miner to mine Monero (XMR) and report mining operations to calendar.qbix.com.

The Coldroot RAT is a cross-platform backdoor targeting macOS systems, providing remote attackers persistent access through a launch daemon, masquerading as an Apple audio driver, and beaconing to a command and control server.

CrossRAT is a Java-based, multi-platform surveillance tool targeting Windows, macOS, and Linux systems, capable of file system manipulation, screenshot capture, and persistence.

The Lazarus APT group is distributing a macOS backdoor named AppleJeus via a fake cryptocurrency trading application called JMT Trader, persisting through a launch daemon and communicating with the C&C server beastgoc.com.

CVE-2017-7149 is a vulnerability in macOS High Sierra (10.13) where the password for an encrypted APFS volume is stored as plain text in the password hint, potentially allowing a local attacker to gain unauthorized access.

This brief outlines a method for generically detecting ransomware on macOS by monitoring file I/O events and identifying the rapid creation of encrypted files by untrusted processes, as proposed by Objective-See.

A crash was identified in Apple's Security framework due to an uninitialized pointer in the SecError function, leading to the dereference of an invalid memory address.

A Firefox zero-day exploit was used to target Mac users, resulting in the installation of the OSX.NetWire.A malware, which establishes persistence and communicates with a command and control server.

Zoom's macOS client contains a local privilege escalation vulnerability that allows an unprivileged attacker to gain root privileges by subverting the runwithroot script, due to the insecure use of the deprecated AuthorizationExecuteWithPrivileges API.

The WindShift APT group is targeting Middle Eastern governments with a first-stage macOS implant called OSX.WindTail, abusing custom URL schemes for initial infection and establishing persistence via login items, while decrypting embedded strings to identify file extensions of interest.

Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.

A logic flaw in Microsoft Excel allows remote code execution on macOS via malicious XLM macros in SYLK files, bypassing the 'Disable all macros without notification' setting.

macOS QuickLook caches thumbnails and file paths of files, even those stored within encrypted containers or on removable USB devices, potentially revealing sensitive data to attackers with access to the running system.

A bug in macOS Mojave causes a system lockup when the vmmap utility is executed against process ID 1 (launchd), due to a deadlock triggered by XPC calls during symbolication.

The kev_msg_post function can be abused by malware to broadcast process creation notifications from a kernel extension (kext) to a user-mode application, potentially bypassing security tools that rely on standard APIs and leading to undetected malicious activity.

This brief details a method for parsing macOS login item files to detect persistence mechanisms employed by malware or threat actors.

Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.

Objective-See details how to create a file monitor for macOS 10.15 using Apple's Endpoint Security Framework to capture file I/O events and process information.

macOS stores Signal message notifications in an unencrypted SQLite database, potentially exposing 'disappearing' messages even after they are deleted from the Signal application.

The 'Mac File Opener' adware achieves persistence by registering itself as a document handler for numerous file types, leveraging the Launch Services Daemon (lsd) to automatically parse the application's Info.plist and register the handlers.

The Lazarus APT group is distributing a trojanized macOS application named UnionCryptoTrader.dmg that installs a launch daemon for persistence, downloads and executes secondary payloads in-memory, and communicates with the command and control server unioncrypto.vip.

This brief discusses the use of Apple's Endpoint Security Framework in macOS 10.15 and later for user-mode process monitoring, offering improved capabilities over the older OpenBSM subsystem.

An implant installer for HackingTeam's RCS implant uses Apple's native OS X encryption scheme and a custom packer to deliver a persistent implant, indicating a potential resurgence of the group and an evolution in their techniques for macOS malware.