https://www.objective-see.org All Things Related to Mac Security https://objective-see.org/blog/blog_0x88.html macOS stealers continue to be a pervasive threat! In this guest blog post, one of our #OBTS student scholars, Pablo Redondo Castro, shares the technical details of a macOS stealer (likely AMOS-related) he analyzed. https://objective-see.org/blog/blog_0x88.html Wed, 01 Apr 2026 00:00:00 +0000 https://objective-see.org/blog/blog_0x87.html In macOS 26.4, Apple added ClickFix protections. In this post, we reverse macOS to uncover exactly how these protections are implemented, and whether we can replicate the same approach in our own tools. https://objective-see.org/blog/blog_0x87.html Tue, 31 Mar 2026 00:00:00 EST https://objective-see.org/blog/blog_0x86.html You can now build macOS firewalls/network tools via Endpoint Security ...no Network Extension needed! In this post, we reverse macOS 26.4's new ES_EVENT_TYPE_RESERVED_* ES events shows some are network auth/notify hooks. https://objective-see.org/blog/blog_0x86.html Fri, 27 Mar 2026 00:00:00 EST https://objective-see.org/blog/blog_0x85.html ClickFix represents a shift in attacker tradecraft, exploiting user trust rather than software vulnerabilities. In this post, we introduce a lightweight execution-boundary defense that intervenes at paste time to generically disrupt most ClickFix-style attacks on macOS. https://objective-see.org/blog/blog_0x85.html Sun, 15 Feb 2026 00:00:00 EST https://objective-see.org/blog/blog_0x84.html It's here! Our annual report on all the Mac malware of the year (2025 edition). Besides providing samples for download, we cover infection vectors, persistence mechanisms, payloads and more! https://objective-see.org/blog/blog_0x84.html Thu, 1 Jan 2026 00:00:00 EST https://objective-see.org/blog/blog_0x83.html In this guest blog post, Nathaniel Oh, details a recent bug he discovered and reported to Apple: a remote pre-authentication buffer overflow in LLDB’s debugserver, now patched as CVE-2025-43504. https://objective-see.org/blog/blog_0x83.html Mon, 8 Dec 2025 00:00:00 EST https://objective-see.org/blog/blog_0x82.html Let's continue our research into fully restoring reflective code loading on macOS — now with support for macOS 26 and in-memory Objective-C payloads. And what about detection? We cover that too! https://objective-see.org/blog/blog_0x82.html Mon, 24 Nov 2025 00:00:00 EST https://objective-see.org/blog/blog_0x81.html Malicious Spotlight plugins can leak bytes from TCC-protected files. And while the core bug was publicly disclosed almost a decade ago, it's still present in macOS 26! https://objective-see.org/blog/blog_0x81.html Mon, 15 Sep 2025 00:00:00 EST https://objective-see.org/blog/blog_0x7F.html Apple will bring TCC events to Endpoint Security in macOS 15.4. In this post, we covers details, nuances, and provide PoC code for the new 'ES_EVENT_TYPE_NOTIFY_TCC_MODIFY' event. https://objective-see.org/blog/blog_0x7F.html Thu, 27 Mar 2025 00:00:00 EST https://objective-see.org/blog/blog_0x7E.html In this guest blog post, researcher Noah Gregory shares the technical details of a bug he uncovered (that was subsequently patched by Apple as CVE-2024-5447). https://objective-see.org/blog/blog_0x7E.html Thu, 20 Mar 2025 00:00:00 EST https://objective-see.org/blog/blog_0x7D.html It's here! Our annual report on all the Mac malware of the year (2024 edition). Besides providing samples for download, we cover infection vectors, persistence mechanisms, payloads and more! https://objective-see.org/blog/blog_0x7D.html Wed, 1 Jan 2025 00:00:00 EST https://objective-see.org/blog/blog_0x7C.html Apple silently 'broke' in-memory code loading on macOS ...let's restore it! https://objective-see.org/blog/blog_0x7C.html Mon, 16 Dec 2024 00:00:00 EST https://objective-see.org/blog/blog_0x7B.html Analyzing crash reports reveals malware, (0-day) bugs, and much more! https://objective-see.org/blog/blog_0x7B.html Tue, 13 Aug 2024 00:00:00 EST https://objective-see.org/blog/blog_0x7A.html A DPRK stealer, dubbed BeaverTail, targets users via a trojanized meeting app. Let's analyze it comprehensively. https://objective-see.org/blog/blog_0x7A.html Sat, 15 Jun 2024 00:00:00 EST https://objective-see.org/blog/blog_0x80.html Universal binaries contain multiple architecture-specific Mach-O, known as slices ...however, it turns out the Apple API to identify the best slice is broken. Let's investigate and find out why! https://objective-see.org/blog/blog_0x80.html Thu, 22 Feb 2024 00:00:00 EST https://objective-see.org/blog/blog_0x79.html From a security point of view, pirating software is not recommended! Let's analyze a pirated application that contains a (malicious) surprise. https://objective-see.org/blog/blog_0x79.html Mon, 15 Jan 2024 00:00:00 EST https://objective-see.org/blog/blog_0x78.html The first malware of 2024 is (already) here. Let's dive in! https://objective-see.org/blog/blog_0x78.html Thu, 4 Jan 2024 00:00:00 EST https://objective-see.org/blog/blog_0x77.html It's here! Our annual report on all the Mac malware of the year (2023 edition). Besides providing samples for download, we cover infection vectors, persistence mechanisms, payloads and more! https://objective-see.org/blog/blog_0x77.html Mon, 1 Jan 2024 00:00:00 EST https://objective-see.org/blog/blog_0x76.html Yet more ransomware targeting macOS! In this post we analyze the newly discovered "Turtle" ransomware and provide both a decryptor and a method to procactively thwart it. https://objective-see.org/blog/blog_0x76.html Thu, 30 Nov 2023 00:00:00 EST https://objective-see.org/blog/blog_0x75.html The infamous LockBit ransomware group has created a macOS variant. In this post we comprehensively analyze this new threat, showing it's not ready for prime-time and iw easily detected with heuristic-based approaches. https://objective-see.org/blog/blog_0x75.html Sun, 16 Apr 2023 00:00:00 EST https://objective-see.org/blog/blog_0x74.html Analyzing UpdateAgent, the 2nd-stage macOS payload of the 3CX supply chain attack https://objective-see.org/blog/blog_0x74.html Sat, 1 Apr 2023 00:00:00 EST https://objective-see.org/blog/blog_0x73.html The 3CX supply chain attack gives us an opportunity to analyze a trojanized macOS application! Here, we uncover the malicious component and thoroughly analyze its capabilities. https://objective-see.org/blog/blog_0x73.html Wed, 29 Mar 2023 00:00:00 EST https://objective-see.org/blog/blog_0x72.html Today, Valentine's day, is a day to celebrate love, and for better or worse one my main loves is malware. Let's analyze a new macOS backdoor/updater component: 'iWebUpdate' ...which has been around, undetected for 5 years! https://objective-see.org/blog/blog_0x72.html Tue, 14 Feb 2023 00:00:00 EST https://objective-see.org/blog/blog_0x71.html It's here! Our annual report on all the Mac malware of the year (2022 edition). Besides providing samples for download, we cover infection vectors, persistence mechanisms, payloads and more! https://objective-see.org/blog/blog_0x71.html Sun, 1 Jan 2023 00:00:00 EST https://objective-see.org/blog/blog_0x70.html The prolific adware known as Shlayer continues to evolve in creative ways! In this guest blog post, security researcher Taha Karim, details an unusual Shlayer sample that encrypts its configuration within the DMG file header structure. https://objective-see.org/blog/blog_0x70.html Tue, 27 Dec 2022 00:00:00 EST https://objective-see.org/blog/blog_0x6F.html It's not everyday that we get to talk about backdoors targeting iOS users. In this guest blog post, security researcher Taha Karim, details a sophisticated threat targeting iOS web3 users. https://objective-see.org/blog/blog_0x6F.html Mon, 13 Jun 2022 00:00:00 EST https://objective-see.org/blog/blog_0x6E.html A report from the Cybersecurity & Infrastructure Security Agency detailed "[A] North Korean State-Sponsored APT Target[ing] Blockchain Companies." We build upon CISA's report, diving deeper into one of the malicious macOS samples. https://objective-see.org/blog/blog_0x6E.html Mon, 09 May 2022 00:00:00 EST https://objective-see.org/blog/blog_0x6D.html DazzleSpy is a fully-featured cyber-espionage macOS implant, installed via a remote Safari exploit! https://objective-see.org/blog/blog_0x6D.html Tue, 25 Jan 2022 00:00:00 EST https://objective-see.org/blog/blog_0x6C.html Here, we analyze the macOS versions of a cross-platform backdoor. https://objective-see.org/blog/blog_0x6C.html Tue, 11 Jan 2022 00:00:00 EST https://objective-see.org/blog/blog_0x6B.html It's here! Our annual report on all the Mac malware of the year (2021 edition). Besides providing samples for download, we cover infection vectors, persistence mechanisms, payloads and more! https://objective-see.org/blog/blog_0x6B.html Sat, 01 Jan 2022 00:00:00 EST https://objective-see.org/blog/blog_0x6A.html CVE-2021-30853 was able to bypass file quarantine, gatekeeper, & notarization requirements. In this post, we show exactly why! https://objective-see.org/blog/blog_0x6A.html Wed, 22 Dec 2021 00:00:00 EST https://objective-see.org/blog/blog_0x69.html A nationstate attack leverages n-/0-day exploits to persistently infect Apple systems with a new macOS implant. https://objective-see.org/blog/blog_0x69.html Thu, 11 Nov 2021 00:00:00 EST https://objective-see.org/blog/blog_0x68.html In this guest blog post, the security researcher Runa Sandvik analyzes OSX.GreenLambert, a first-stage macOS implant utilized by the CIA. https://objective-see.org/blog/blog_0x68.html Fri, 01 Oct 2021 00:00:00 EST https://objective-see.org/blog/blog_0x67.html In this guest blog post, the security researcher Tom McGuire details the flaw and fix of CVE-2021-30860, a zero-click vulnerability, exploited in the wild. https://objective-see.org/blog/blog_0x67.html Thu, 16 Sep 2021 00:00:00 EST https://objective-see.org/blog/blog_0x66.html Attackers are leveraging trojanized appplications to spread malware, via sponsored search results. https://objective-see.org/blog/blog_0x66.html Tue, 14 Sep 2021 00:00:00 EST https://objective-see.org/blog/blog_0x65.html In this guest blog post, the security researcher Taha Karim of ConfiantIntel, dives into a new macOS adware specimen: Hydromac. https://objective-see.org/blog/blog_0x65.html Fri, 4 Jun 2021 00:00:00 EST https://objective-see.org/blog/blog_0x64.html This is our 100th blog post ...and it's a doozy! Here, we detail a bug that trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk! https://objective-see.org/blog/blog_0x64.html Mon, 26 Apr 2021 00:00:00 EST https://objective-see.org/blog/blog_0x63.html In this guest blog post, the Mac security researcher Csaba Fitzl, descrbibes his journey creating an app to protect against process injection on macOS. https://objective-see.org/blog/blog_0x63.html Wed, 3 Mar 2021 00:00:00 EST https://objective-see.org/blog/blog_0x62.html Apple's new M1 systems offer a myriad of benefits, that malware authors are now leveraging. Here, we detail the first malicious program, compiled to natively target Apple Silicon (M1/arm64)! https://objective-see.org/blog/blog_0x62.html Sun, 14 Feb 2021 00:00:00 EST https://objective-see.org/blog/blog_0x61.html The first (macOS) malware of 2021 is an insidious remote access tool (RAT), containing a variety of embedded payload to extend its functionality. https://objective-see.org/blog/blog_0x61.html Tue, 5 Jan 2021 00:00:00 EST https://objective-see.org/blog/blog_0x5F.html Our annual report on all the Mac malware of the year - including samples for download, infection vectors, persistence mechanisms, payloads and more! https://objective-see.org/blog/blog_0x5F.html Fri, 1 Jan 2021 00:00:00 EST https://objective-see.org/blog/blog_0x5D.html In this guest blog post, the noted Mac security researcher/author Jaron Bradley explains how to detect (potentially malicious) SSH activity...via process monitoring and the analysis of process hierarchies. https://objective-see.org/blog/blog_0x5D.html Thu, 10 Dec 2020 00:00:00 EST https://objective-see.org/blog/blog_0x5C.html Here we continue to deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces), focusing on its Electron component. https://objective-see.org/blog/blog_0x5C.html Fri, 27 Nov 2020 00:00:00 EST https://objective-see.org/blog/blog_0x5B.html Here we deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces). https://objective-see.org/blog/blog_0x5B.html Tue, 3 Nov 2020 00:00:00 EST https://objective-see.org/blog/blog_0x5A.html In this guest blog post, the security researcher behind @OSCartography, describes a bug related to parsing property lists ...a bug that trivial crashed macOS! https://objective-see.org/blog/blog_0x5A.html Wed, 21 Oct 2020 00:00:00 EST https://objective-see.org/blog/blog_0x4F.html Interested in learning about a macOS cyber-espionage implant ...that leveraged priv-escalation exploits and a kernel-mode rootkit!? In this post, we analyze the macOS version of FinSpy. https://objective-see.org/blog/blog_0x4F.html Sat, 26 Sep 2020 00:00:00 EST https://objective-see.org/blog/blog_0x4E.html Unfortunately we didn't have to wait long before hackers found a way to (ab)use Apple's new notarization service to get their malware approved! In this post, we tear apart an adware campaign that utilized malicious payloads containing Apple's notarization "stamp of approval". https://objective-see.org/blog/blog_0x4E.html Sun, 30 Aug 2020 00:00:00 EST https://objective-see.org/blog/blog_0x4B.html Even wondered how a system can be persistently infected by simply opening a document? In this post, I detail an exploit chain (created by yours truly), that was able fully infect a fully-patched macOS Catalina system, by simply opening a malicious (macro-laced) Office document ...no alerts, prompts, nor other direct user interactions required! https://objective-see.org/blog/blog_0x4B.html Tue, 4 Aug 2020 00:00:00 EST https://objective-see.org/blog/blog_0x4D.html Security researcher Ilias Morad, describes an impressive exploit chain, combining three macOS logic bugs he uncovered in macOS. His exploit chain allowed a local user to elevate privileges all the way to ring-0 (kernel)! https://objective-see.org/blog/blog_0x4D.html Sat, 1 Aug 2020 00:00:00 EST https://objective-see.org/blog/blog_0x4C.html In this guest blog post, security researcher Matt Shockley describes a lovely security vulnerability he uncovered in macOS. This bug allowed for a complete bypass of TCC's draconian entitlement checks, all without writing a single line of code! https://objective-see.org/blog/blog_0x4C.html Tue, 28 Jul 2020 00:00:00 EST https://objective-see.org/blog/blog_0x4A.html Parent-child relationships are one of the simplest and most effective ways to detect malicious activity at the host level ...however on macOS things can get a little complex. Luckily security researcher Jaron Bradley is here to explain exactly what is going on! https://objective-see.org/blog/blog_0x4A.html Sun, 19 Jul 2020 00:00:00 EST https://objective-see.org/blog/blog_0x60.html OSX.EvilQuest is a new piece of malware targeting Mac users. In part two, we analyze the malware's viral infection capabilities, and detail its insidious capabilities. https://objective-see.org/blog/blog_0x60.html Fri, 03 Jul 2020 00:00:00 EST https://objective-see.org/blog/blog_0x59.html OSX.EvilQuest is a new piece of malware targeting Mac users. In part one, we analyze the malware's infection vector, persistence mechanism, and anti-analysis logic. https://objective-see.org/blog/blog_0x59.html Mon, 29 Jun 2020 00:00:00 EST https://objective-see.org/blog/blog_0x58.html Tiny SHell is a lightweight backdoor used in APT attacks against Mac users. In this (guest) post, the noted macOS security researcher (and #OBTS speaker!) Jaron Bradley provides a comprehensive analysis! https://objective-see.org/blog/blog_0x58.html Mon, 01 Jun 2020 00:00:00 EST https://objective-see.org/blog/blog_0x57.html A sophisticated Lazarus Group implant has arrived on macOS. In this post, we deconstruct the Mac variant of a OSX.Dacls, detailing its install logic, persistence, and capabilities. https://objective-see.org/blog/blog_0x57.html https://objective-see.org/blog/blog_0x56.html Today we uncover two (local) security flaws in Zoom's latest macOS client. First, a privilege escalation vulnerability, and second, a method to surreptitiously access a user's webcam and microphone (via Zoom). https://objective-see.org/blog/blog_0x56.html https://objective-see.org/blog/blog_0x55.html CVE-2017-7170 was a local priv-esc vulnerability that affected OSX/macOS for over a decade! Here (for the first time!), we dive into the technical details of finding the bug, the core flaw, and exploitation. https://objective-see.org/blog/blog_0x55.html https://objective-see.org/blog/blog_0x54.html The Lazarus group's latest implant/loader supports in-memory loading of 2nd-stage payloads. In this post we describe exactly how to repurposing this 1st-stage loader to execute *our* custom 'fileless' payloads! https://objective-see.org/blog/blog_0x54.html https://objective-see.org/blog/blog_0x53.html Our annual report on all the Mac malware of the year - including samples for download, infection vectors, persistence mechanisms, payloads and more! https://objective-see.org/blog/blog_0x53.html https://objective-see.org/blog/blog_0x52.html A massively popular iOS application turns out to be a government spy tool! Here, we analyze the app; decrypting its binary and studying its network traffic. https://objective-see.org/blog/blog_0x52.html https://objective-see.org/blog/blog_0x51.html The rather infamous APT group, "Lazarus", continues to evolve their macOS capabilities. Today, we tear apart their latest 1st-stage implant that supports remote download & in-memory execution of secondary payloads! https://objective-see.org/blog/blog_0x51.html https://objective-see.org/blog/blog_0x50.html A 0day logic flaw in Microsoft Excel leads to 'remote' code execution on macOS, via malicious macros. https://objective-see.org/blog/blog_0x50.html https://objective-see.org/blog/blog_0x49.html A new macOS backdoor written by the infamous Lazarus APT group needs analyzing. Here, we examine it's infection vector, method of persistence, capabilities, and more! https://objective-see.org/blog/blog_0x49.html https://objective-see.org/blog/blog_0x48.html Learn how to leverage Apple's new Endpoint Security Framework to create a comprehensive (user-mode) File Monitor for macOS 10.15! https://objective-see.org/blog/blog_0x48.html https://objective-see.org/blog/blog_0x47.html Learn how to leverage Apple's new Endpoint Security Framework to create a comprehensive (user-mode) Process Monitor for macOS 10.15! https://objective-see.org/blog/blog_0x47.html https://objective-see.org/blog/blog_0x46.html In this guest blog post, "Objective by the Sea" speaker, Csaba Fitzl writes about an interesting way to get root via Apps from the official Mac App Store! https://objective-see.org/blog/blog_0x46.html https://objective-see.org/blog/blog_0x45.html Recently, an attacker targeted (Mac) users via a Firefox 0day. In this third post, we analyze a second backdoor used in the attack, detailing its persistence, capabilities, and ultimate identify it a new variant of the cross-platform Mokes malware! https://objective-see.org/blog/blog_0x45.html https://objective-see.org/blog/blog_0x44.html Recently, an attacker targeted (Mac) users via a Firefox 0day. In this second post, we fully reverse OSX.NetWire.A, revealing (for the first time!), its inner workings and complex capabilities. https://objective-see.org/blog/blog_0x44.html https://objective-see.org/blog/blog_0x43.html Recently, an attacker targeted (Mac) users via a Firefox 0day. In this first post, we triage and identify the malware (OSX.NetWire.A) utilized in this attack, identifying its methods of persistence, and more! https://objective-see.org/blog/blog_0x43.html https://objective-see.org/blog/blog_0x42.html After the success of #OBTS v1.0, we decided to go international and plan #OBTS v2.0 in Europe! In this blog post, we re-live the highlights (from Monaco!) of "Objective by the Sea" v2.0. https://objective-see.org/blog/blog_0x42.html https://objective-see.org/blog/blog_0x41.html @CodeColorist continues writing about bugs, such as CVE-2019-8521 and CVE-2019-8565 that provide a mechanism to elevate privileges to root on macOS. https://objective-see.org/blog/blog_0x41.html https://objective-see.org/blog/blog_0x40.html In part one of a guest blog post, @CodeColorist writes about several neat macOS vulnerabilities. https://objective-see.org/blog/blog_0x40.html https://objective-see.org/blog/blog_0x3F.html Let's tear apart a persistent piece of adware, decompiling, decoding, and decompressing it's code to uncover its methods and capabilities. https://objective-see.org/blog/blog_0x3F.html https://objective-see.org/blog/blog_0x3E.html A core Mojave utility is rather disastrously broken - causing a full-system lockup. Let's find out why! https://objective-see.org/blog/blog_0x3E.html https://objective-see.org/blog/blog_0x3D.html The APT group WindShift has been targeting Middle Eastern governments with Mac implants. Let's (continue to) analyze their 1st-stage macOS implant: OSX.WindTail! https://objective-see.org/blog/blog_0x3D.html https://objective-see.org/blog/blog_0x3C.html Our annual report on all the Mac malware of the year - including samples for download, infection vectors, persistence mechanisms, payloads and more! https://objective-see.org/blog/blog_0x3C.html https://objective-see.org/blog/blog_0x3B.html The APT group WindShift has been targeting Middle Eastern governments with Mac implants. Let's analyze their 1st-stage macOS implant: OSX.WindTail! https://objective-see.org/blog/blog_0x3B.html https://objective-see.org/blog/blog_0x3A.html A malicious Word document targeting macOS users, was recently uncovered. Let's extract the embedded macros, decode an embedded downloader, and retrieve the 2nd-stage payload! https://objective-see.org/blog/blog_0x3A.html https://objective-see.org/blog/blog_0x39.html The macOS sandbox is seeks to prevent malicious applications from surreptitiously spy on unsuspecting users. Turns out, it's trivial to sidestep some of these protections, resulting in significant privacy implications! https://objective-see.org/blog/blog_0x39.html https://objective-see.org/blog/blog_0x37.html A massively popular app from the official Mac App Store, surreptitiously steals your browsing history! By fully reversing the application, we can fully expose its functionality and rather shady capabilities. https://objective-see.org/blog/blog_0x37.html https://objective-see.org/blog/blog_0x38.html The WINDSHIFT APT group is successfully infecting Macs with a novel infection mechanism. By abusing custom URL scheme handlers and minimal user interaction, Macs can be remotely compromised! https://objective-see.org/blog/blog_0x38.html https://objective-see.org/blog/blog_0x36.html If you can programmatically generate synthetic mouse clicks, you can break macOS! Approving kernel extensions, dismissing privacy alerts, and much more more... https://objective-see.org/blog/blog_0x36.html https://objective-see.org/blog/blog_0x35.html Imagine you've gained remote code execution on a Mac via a malicious Word document. Turns out, you're still stuck in a sandbox. However, via a faulty regex, you can escape and persist! https://objective-see.org/blog/blog_0x35.html https://objective-see.org/blog/blog_0x34.html Apple wrote code to appease the Chinese government ...it was buggy. In certain configurations, iOS devices were vulnerable a "emoji-related" flaw that could be triggered remotely! https://objective-see.org/blog/blog_0x34.html https://objective-see.org/blog/blog_0x33.html In this guest blog post @CodeColorist writes about a neat macOS vulnerability. Ironically, by abusing security mechanisms such as sandboxing, macOS can be coerced to load an untrusted library, into a SIP-entitled process! https://objective-see.org/blog/blog_0x33.html https://objective-see.org/blog/blog_0x31.html Apple recently updated the way login items are stored by the OS. In this post, we'll illustrate how to parse the (new) login item files to detect persistence https://objective-see.org/blog/blog_0x31.html https://objective-see.org/blog/blog_0x32.html A new Mac malware targets the cryptocurrency community. In this post, we dive into the malware and illustrate how Objective-See's tools can generically thwart this new threat at every step of the way. https://objective-see.org/blog/blog_0x32.html https://objective-see.org/blog/blog_0x30.html Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? ...yes :( Apple's 'QuickLook' cache is to blame. https://objective-see.org/blog/blog_0x30.html https://objective-see.org/blog/blog_0x2F.html In macOS Mojave apps, to have to obtain user permission before using the Mac camera & microphone. We'll illustrate how this is trivial to bypass (at least in the current beta). https://objective-see.org/blog/blog_0x2F.html https://objective-see.org/blog/blog_0x2E.html Did you know on macOS, notifications are stored in a unencrypted database? Which means that even 'disappearing' messages from apps such as Signal - may not really disappear. Yikes! https://objective-see.org/blog/blog_0x2E.html https://objective-see.org/blog/blog_0x2D.html Turns out that writing security tools is a great way to inadvertently uncover bugs in macOS. How about a crash in Apple's 'Security' framework ... that can't be good!? https://objective-see.org/blog/blog_0x2D.html https://objective-see.org/blog/blog_0x2C.html In this guest blog post my friend Mikhail Sosonkin reverses Apple's screencapture utility, discusses Mac malware that captures desktop images, and suggests methods for screen-capture detection! https://objective-see.org/blog/blog_0x2C.html https://objective-see.org/blog/blog_0x2B.html Turns out the innocuously named "Calendar 2" app, found on the official Mac App Store, was surreptitiously turning Mac into cryptocurrency miners! https://objective-see.org/blog/blog_0x2B.html https://objective-see.org/blog/blog_0x2A.html I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systems https://objective-see.org/blog/blog_0x2A.html https://objective-see.org/blog/blog_0x29.html Recently, the popular MacUpdate website was subverted to distribute a new macOS cryptominer; OSX/CreativeUpdater. https://objective-see.org/blog/blog_0x29.html https://objective-see.org/blog/blog_0x28.html The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its persistence mechanisms, features, and network communications. https://objective-see.org/blog/blog_0x28.html https://objective-see.org/blog/blog_0x27.html On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding that Apple's AMDRadeonX4150 kext is responsible for the crash. https://objective-see.org/blog/blog_0x27.html https://objective-see.org/blog/blog_0x26.html OSX/MaMi (the first Mac malware of 2018) hijacks infected users' DNS settings and installs a malicious certificate into the System keychain, in order to give remote attackers 'access' to all network traffic https://objective-see.org/blog/blog_0x26.html https://objective-see.org/blog/blog_0x22.html Here, we reverse, then 'extend' a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents will be automatically detected! https://objective-see.org/blog/blog_0x22.html https://objective-see.org/blog/blog_0x25.html Let's look at all the mac malware from 2017, for each - discussing their infection vector, persistence mechanism, features & goals. https://objective-see.org/blog/blog_0x25.html https://objective-see.org/blog/blog_0x24.html Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the root account with a blank, or password, of their choosing! https://objective-see.org/blog/blog_0x24.html https://objective-see.org/blog/blog_0x23.html High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes. https://objective-see.org/blog/blog_0x23.html https://objective-see.org/blog/blog_0x21.html A new 'security' feature in macOS 10.13, is trivial to bypass. https://objective-see.org/blog/blog_0x21.html https://objective-see.org/blog/blog_0x20.html Some undetected adware named "Mughthesec" is infecting Macs...let's check it out! https://objective-see.org/blog/blog_0x20.html https://objective-see.org/blog/blog_0x1E.html Looks like somebody on the 'dark web' is offering 'Ransomware as a Service'...that's designed to infect Macs! https://objective-see.org/blog/blog_0x1E.html https://objective-see.org/blog/blog_0x1F.html Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware's capabilities https://objective-see.org/blog/blog_0x1F.html https://objective-see.org/blog/blog_0x1D.html The website of a popular application was hacked, and the application trojaned with a new variant of osx/proton. https://objective-see.org/blog/blog_0x1D.html https://objective-see.org/blog/blog_0x1C.html Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow. https://objective-see.org/blog/blog_0x1C.html https://objective-see.org/blog/blog_0x1B.html Apple's 'fix' for a macOS kernel panic, fixes nothing and worse, introduces a new bug. https://objective-see.org/blog/blog_0x1B.html https://objective-see.org/blog/blog_0x1A.html The macOS kernel had an (intentional?) off-by-one bug that could trigger a kernel panic. https://objective-see.org/blog/blog_0x1A.html https://objective-see.org/blog/blog_0x19.html Today is our 2nd birthday! Let's look at our past, present, and future. https://objective-see.org/blog/blog_0x19.html https://objective-see.org/blog/blog_0x18.html Reverse-engineering a 'Russian' implant reveals HackingTeam's code!? https://objective-see.org/blog/blog_0x18.html https://objective-see.org/blog/blog_0x17.html A Word document targets Mac users with malicious macros and an open-source payload. https://objective-see.org/blog/blog_0x17.html https://objective-see.org/blog/blog_0x16.html Let's analyse the malware that appeared in 2016, discussing the infection vector, persistence mechanism, feature, and disinfection for each. https://objective-see.org/blog/blog_0x16.html https://objective-see.org/blog/blog_0x15.html Apple's App Translocation broke several of my tools, but we can locally undo it to restore broken functionality! https://objective-see.org/blog/blog_0x15.html https://objective-see.org/blog/blog_0x14.html Read how an attacker can bypass Apple's SIP, via the local OS upgrade process https://objective-see.org/blog/blog_0x14.html https://objective-see.org/blog/blog_0x13.html Does Shazam's Mac App keep recording even when you turn the app off? ...yes :/ https://objective-see.org/blog/blog_0x13.html https://objective-see.org/blog/blog_0x12.html The 'Mac File Opener' adware is fairly normal, except for it how it persists via registered document handlers https://objective-see.org/blog/blog_0x12.html https://objective-see.org/blog/blog_0x11.html Learn how a Finder Sync can 'extend' Finder.app and how this could be abused for persistence https://objective-see.org/blog/blog_0x11.html https://objective-see.org/blog/blog_0x10.html How to verify that an application came from the official Mac App Store, via receipt validation https://objective-see.org/blog/blog_0x10.html https://objective-see.org/blog/blog_0x0F.html By monitoring file I/O events and detecting the rapid creation of encrypted files by untrusted processes, can ransomware be generically detected? https://objective-see.org/blog/blog_0x0F.html https://objective-see.org/blog/blog_0x0E.html In Objective-See's first guest blog post, Amit Serper presents his detailed analysis of OSX/Pirrit https://objective-see.org/blog/blog_0x0E.html https://objective-see.org/blog/blog_0x0D.html HackingTeam using native OS X crypto to protect malware -neat! New blog w/ sample + decryptions/dumpings/detections https://objective-see.org/blog/blog_0x0D.html https://objective-see.org/blog/blog_0x0C.html Dissecting string obfuscations, junk code insertions, and anti-debugging logic of InstallCore https://objective-see.org/blog/blog_0x0C.html https://objective-see.org/blog/blog_0x0B.html Getting process creation notifcations from kernel-mode to user-mode, via the undocumented kev_msg_post function https://objective-see.org/blog/blog_0x0B.html https://objective-see.org/blog/blog_0x0A.html Process monitoring via the KAuth Subsystem (and some limitations) https://objective-see.org/blog/blog_0x0A.html https://objective-see.org/blog.html#blogEntry9 Why BlockBlock needs a kext (hint: process monitoring), and how the kext was created https://objective-see.org/blog.html#blogEntry9 https://objective-see.org/blog.html#blogEntry8 How to remotely kernel-debug a OS X 10.11 VM https://objective-see.org/blog.html#blogEntry8 https://objective-see.org/blog.html#blogEntry7 How reversing Apple's 'RootPipe' patch provided the means to secure TaskExplorer's XPC service https://objective-see.org/blog.html#blogEntry7 https://objective-see.org/blog.html#blogEntry6 How to build HackingTeam's OS X implant in Xcode https://objective-see.org/blog.html#blogEntry6 https://objective-see.org/blog.html#blogEntry5 Details on bypassing Apple's original rootpipe patch https://objective-see.org/blog.html#blogEntry5 https://objective-see.org/blog.html#blogEntry4 A deeper dive into 'MacInstaller' and the adware it installs https://objective-see.org/blog.html#blogEntry4 https://objective-see.org/blog.html#blogEntry3 Exploiting RootPipe on OS X 10.10.3 https://objective-see.org/blog.html#blogEntry3 https://objective-see.org/blog.html#blogEntry2 Announcing the release of DHS; a tool to help detect (dylib) hijackers https://objective-see.org/blog.html#blogEntry2 https://objective-see.org/blog.html#blogEntry1 NSLog(@"Hello World"); objective-see.org is alive! https://objective-see.org/blog.html#blogEntry1