Scroll Top

Unveiling a New Threat: Sophisticated Toolkit Targets Apple macOS Systems


Unveiling a new threat: sophisticated toolkit targets Apple MacOS systems

In a recent breakthrough, cybersecurity researchers at have uncovered a set of malicious artifacts that form part of a highly sophisticated toolkit designed to target Apple macOS systems. These findings shed light on a concerning new wave of threats impacting Apple’s ecosystem.

The researchers from, Andrei Lapusneanu and Bogdan Botezatu, conducted a preliminary analysis based on four samples uploaded to VirusTotal by an anonymous victim. The earliest sample in question dates back to April 18, 2023.

Among the identified threats, two Python-based backdoors stand out, exhibiting characteristics that make them capable of targeting Windows, Linux, and macOS systems. Collectively known as JokerSpy, these payloads have been assessed by our experts.

The first component, shared.dat, is launched upon execution and performs an operating system check, differentiating between Windows, macOS, and Linux by assigning values of 0, 1, and 2, respectively. It then establishes communication with a remote server to retrieve further instructions, encompassing actions such as system information gathering, command execution, file download and execution, and self-termination.

On macOS devices, the server provides Base64-encoded content that is subsequently written to a file named “/Users/Shared/AppleAccount.tgz” before being unpacked and executed as the application “/Users/Shared/TempUser/”

In the case of Linux hosts, the routine involves validating the operating system distribution by examining the “/etc/os-release” file. It then writes C code to a temporary file called “tmp.c,” which is compiled into a file named “/tmp/.ICE-unix/git” using the cc command in Fedora or gcc in Debian.

Additionally, our investigation revealed the presence of a more potent backdoor labeled “” among the samples. This file possesses an extensive range of capabilities, including system metadata gathering, file enumeration, file deletion, command and file execution, as well as batch exfiltration of encoded data.

The third component, a FAT binary named xcc, is written in Swift and targets macOS Monterey (version 12) and later versions. This file houses two Mach-O files designed for both x86 Intel and ARM M1 CPU architectures.

While the primary purpose of xcc appears to be permission verification for potential spyware components, it does not contain the spyware component itself. The researchers at suspect that these files are part of a larger, more complex attack, indicating that additional files may be missing from the analyzed system.

Furthermore, xcc’s spyware connections are evident from a specific file path found within its content: “/Users/joker/Downloads/Spy/XProtectCheck/”. It also verifies permissions such as Disk Access, Screen Recording, and Accessibility.

At present, the identity of the threat actors behind this campaign remains unknown. The exact method of initial access, including potential involvement of social engineering or spear-phishing techniques, has yet to be determined. will continue to monitor the situation closely and provide updates as further information becomes available. Stay tuned for our upcoming webinars and follow us on Twitter and LinkedIn for exclusive content and the latest developments in the ever-changing cybersecurity landscape.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.