Here, we reverse, then 'extend' a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents will be automatically detected!
OSX/MaMi (the first Mac malware of 2018) hijacks infected users' DNS settings and installs a malicious certificate into the System keychain, in order to give remote attackers 'access' to all network traffic
On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding that Apple's AMDRadeonX4150 kext is responsible for the crash.
The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its persistence mechanisms, features, and network communications.
In this guest blog post my friend Mikhail Sosonkin reverses Apple's screencapture utility, discusses Mac malware that captures desktop images, and suggests methods for screen-capture detection!
Turns out that writing security tools is a great way to inadvertently uncover bugs in macOS. How about a crash in Apple's 'Security' framework ... that can't be good!?
Did you know on macOS, notifications are stored in a unencrypted database? Which means that even 'disappearing' messages from apps such as Signal - may not really disappear. Yikes!
In macOS Mojave apps, to have to obtain user permission before using the Mac camera & microphone. We'll illustrate how this is trivial to bypass (at least in the current beta).
Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? ...yes :( Apple's 'QuickLook' cache is to blame.
A new Mac malware targets the cryptocurrency community. In this post, we dive into the malware and illustrate how Objective-See's tools can generically thwart this new threat at every step of the way.
Apple recently updated the way login items are stored by the OS. In this post, we'll illustrate how to parse the (new) login item files to detect persistence
In this guest blog post @CodeColorist writes about a neat macOS vulnerability. Ironically, by abusing security mechanisms such as sandboxing, macOS can be coerced to load an untrusted library, into a SIP-entitled process!
Apple wrote code to appease the Chinese government ...it was buggy. In certain configurations, iOS devices were vulnerable a "emoji-related" flaw that could be triggered remotely!
Imagine you've gained remote code execution on a Mac via a malicious Word document. Turns out, you're still stuck in a sandbox. However, via a faulty regex, you can escape and persist!
If you can programmatically generate synthetic mouse clicks, you can break macOS! Approving kernel extensions, dismissing privacy alerts, and much more more...
The WINDSHIFT APT group is successfully infecting Macs with a novel infection mechanism. By abusing custom URL scheme handlers and minimal user interaction, Macs can be remotely compromised!
A massively popular app from the official Mac App Store, surreptitiously steals your browsing history! By fully reversing the application, we can fully expose its functionality and rather shady capabilities.
The macOS sandbox is seeks to prevent malicious applications from surreptitiously spy on unsuspecting users. Turns out, it's trivial to sidestep some of these protections, resulting in significant privacy implications!
A malicious Word document targeting macOS users, was recently uncovered. Let's extract the embedded macros, decode an embedded downloader, and retrieve the 2nd-stage payload!
The APT group WindShift has been targeting Middle Eastern governments with Mac implants. Let's (continue to) analyze their 1st-stage macOS implant: OSX.WindTail!
After the success of #OBTS v1.0, we decided to go international and plan #OBTS v2.0 in Europe! In this blog post, we re-live the highlights (from Monaco!) of "Objective by the Sea" v2.0.
Recently, an attacker targeted (Mac) users via a Firefox 0day. In this first post, we triage and identify the malware (OSX.NetWire.A) utilized in this attack, identifying its methods of persistence, and more!
Recently, an attacker targeted (Mac) users via a Firefox 0day. In this second post, we fully reverse OSX.NetWire.A, revealing (for the first time!), its inner workings and complex capabilities.
Recently, an attacker targeted (Mac) users via a Firefox 0day. In this third post, we analyze a second backdoor used in the attack, detailing its persistence, capabilities, and ultimate identify it a new variant of the cross-platform Mokes malware!
In this guest blog post, "Objective by the Sea" speaker, Csaba Fitzl writes about an interesting way to get root via Apps from the official Mac App Store!
A new macOS backdoor written by the infamous Lazarus APT group needs analyzing. Here, we examine it's infection vector, method of persistence, capabilities, and more!
The rather infamous APT group, "Lazarus", continues to evolve their macOS capabilities. Today, we tear apart their latest 1st-stage implant that supports remote download & in-memory execution of secondary payloads!
A massively popular iOS application turns out to be a government spy tool! Here, we analyze the app; decrypting its binary and studying its network traffic.
The Lazarus group's latest implant/loader supports in-memory loading of 2nd-stage payloads. In this post we describe exactly how to repurposing this 1st-stage loader to execute *our* custom 'fileless' payloads!
CVE-2017-7170 was a local priv-esc vulnerability that affected OSX/macOS for over a decade! Here (for the first time!), we dive into the technical details of finding the bug, the core flaw, and exploitation.
Today we uncover two (local) security flaws in Zoom's latest macOS client. First, a privilege escalation vulnerability, and second, a method to surreptitiously access a user's webcam and microphone (via Zoom).
A sophisticated Lazarus Group implant has arrived on macOS. In this post, we deconstruct the Mac variant of a OSX.Dacls, detailing its install logic, persistence, and capabilities.
macOS stealers continue to be a pervasive threat! In this guest blog post, one of our #OBTS student scholars, Pablo Redondo Castro, shares the technical details of a macOS stealer (likely AMOS-related) he analyzed.
In macOS 26.4, Apple added ClickFix protections. In this post, we reverse macOS to uncover exactly how these protections are implemented, and whether we can replicate the same approach in our own tools.
You can now build macOS firewalls/network tools via Endpoint Security ...no Network Extension needed! In this post, we reverse macOS 26.4's new ES_EVENT_TYPE_RESERVED_* ES events shows some are network auth/notify hooks.
ClickFix represents a shift in attacker tradecraft, exploiting user trust rather than software vulnerabilities. In this post, we introduce a lightweight execution-boundary defense that intervenes at paste time to generically disrupt most ClickFix-style attacks on macOS.
It's here! Our annual report on all the Mac malware of the year (2025 edition). Besides providing samples for download, we cover infection vectors, persistence mechanisms, payloads and more!
In this guest blog post, Nathaniel Oh, details a recent bug he discovered and reported to Apple: a remote pre-authentication buffer overflow in LLDB’s debugserver, now patched as CVE-2025-43504.
Let's continue our research into fully restoring reflective code loading on macOS — now with support for macOS 26 and in-memory Objective-C payloads. And what about detection? We cover that too!
Malicious Spotlight plugins can leak bytes from TCC-protected files. And while the core bug was publicly disclosed almost a decade ago, it's still present in macOS 26!
Apple will bring TCC events to Endpoint Security in macOS 15.4. In this post, we covers details, nuances, and provide PoC code for the new 'ES_EVENT_TYPE_NOTIFY_TCC_MODIFY' event.
In this guest blog post, researcher Noah Gregory shares the technical details of a bug he uncovered (that was subsequently patched by Apple as CVE-2024-5447).
It's here! Our annual report on all the Mac malware of the year (2024 edition). Besides providing samples for download, we cover infection vectors, persistence mechanisms, payloads and more!
Universal binaries contain multiple architecture-specific Mach-O, known as slices ...however, it turns out the Apple API to identify the best slice is broken. Let's investigate and find out why!
It's here! Our annual report on all the Mac malware of the year (2023 edition). Besides providing samples for download, we cover infection vectors, persistence mechanisms, payloads and more!
Yet more ransomware targeting macOS! In this post we analyze the newly discovered "Turtle" ransomware and provide both a decryptor and a method to procactively thwart it.
The infamous LockBit ransomware group has created a macOS variant. In this post we comprehensively analyze this new threat, showing it's not ready for prime-time and iw easily detected with heuristic-based approaches.
The 3CX supply chain attack gives us an opportunity to analyze a trojanized macOS application! Here, we uncover the malicious component and thoroughly analyze its capabilities.
Today, Valentine's day, is a day to celebrate love, and for better or worse one my main loves is malware. Let's analyze a new macOS backdoor/updater component: 'iWebUpdate' ...which has been around, undetected for 5 years!
It's here! Our annual report on all the Mac malware of the year (2022 edition). Besides providing samples for download, we cover infection vectors, persistence mechanisms, payloads and more!
The prolific adware known as Shlayer continues to evolve in creative ways! In this guest blog post, security researcher Taha Karim, details an unusual Shlayer sample that encrypts its configuration within the DMG file header structure.
It's not everyday that we get to talk about backdoors targeting iOS users. In this guest blog post, security researcher Taha Karim, details a sophisticated threat targeting iOS web3 users.
A report from the Cybersecurity & Infrastructure Security Agency detailed "[A] North Korean State-Sponsored APT Target[ing] Blockchain Companies." We build upon CISA's report, diving deeper into one of the malicious macOS samples.
It's here! Our annual report on all the Mac malware of the year (2021 edition). Besides providing samples for download, we cover infection vectors, persistence mechanisms, payloads and more!
In this guest blog post, the security researcher Tom McGuire details the flaw and fix of CVE-2021-30860, a zero-click vulnerability, exploited in the wild.
This is our 100th blog post ...and it's a doozy! Here, we detail a bug that trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk!
In this guest blog post, the Mac security researcher Csaba Fitzl, descrbibes his journey creating an app to protect against process injection on macOS.
Apple's new M1 systems offer a myriad of benefits, that malware authors are now leveraging. Here, we detail the first malicious program, compiled to natively target Apple Silicon (M1/arm64)!
In this guest blog post, the noted Mac security researcher/author Jaron Bradley explains how to detect (potentially malicious) SSH activity...via process monitoring and the analysis of process hierarchies.
Here we continue to deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces), focusing on its Electron component.
In this guest blog post, the security researcher behind @OSCartography, describes a bug related to parsing property lists ...a bug that trivial crashed macOS!
Interested in learning about a macOS cyber-espionage implant ...that leveraged priv-escalation exploits and a kernel-mode rootkit!? In this post, we analyze the macOS version of FinSpy.
Unfortunately we didn't have to wait long before hackers found a way to (ab)use Apple's new notarization service to get their malware approved! In this post, we tear apart an adware campaign that utilized malicious payloads containing Apple's notarization "stamp of approval".
Even wondered how a system can be persistently infected by simply opening a document? In this post, I detail an exploit chain (created by yours truly), that was able fully infect a fully-patched macOS Catalina system, by simply opening a malicious (macro-laced) Office document ...no alerts, prompts, nor other direct user interactions required!
Security researcher Ilias Morad, describes an impressive exploit chain, combining three macOS logic bugs he uncovered in macOS. His exploit chain allowed a local user to elevate privileges all the way to ring-0 (kernel)!
In this guest blog post, security researcher Matt Shockley describes a lovely security vulnerability he uncovered in macOS. This bug allowed for a complete bypass of TCC's draconian entitlement checks, all without writing a single line of code!
Parent-child relationships are one of the simplest and most effective ways to detect malicious activity at the host level ...however on macOS things can get a little complex. Luckily security researcher Jaron Bradley is here to explain exactly what is going on!
OSX.EvilQuest is a new piece of malware targeting Mac users. In part two, we analyze the malware's viral infection capabilities, and detail its insidious capabilities.
OSX.EvilQuest is a new piece of malware targeting Mac users. In part one, we analyze the malware's infection vector, persistence mechanism, and anti-analysis logic.
Tiny SHell is a lightweight backdoor used in APT attacks against Mac users. In this (guest) post, the noted macOS security researcher (and #OBTS speaker!) Jaron Bradley provides a comprehensive analysis!