Posts
No matter how safe the Apple ecosystem may seem, sometimes unpleasant things happen to it…
September 20, 2025 at 5:28 PM•Max Knyazev is typing…Telegram mirror
No matter how safe the Apple ecosystem may seem, sometimes unpleasant things happen to it. And now first things first
👇
Relatively new to MacOS found a backdoor with the cute name ChillyHell. Jamf Threat Labs came across a sample that someone uploaded to VirusTotal in May 2025, but technically it was signed by Apple back in 2021. That is, an officially “trusted” binary, which, if desired, does everything not only “badly”, but directly maliciously. This is a modular C++ backdoor for Intel machines, capable of loading modules, updating itself and sitting in the system for a long time, masquerading as legitimate normal software
What's especially jarring: Mandiant first mentioned a related family of malware back in 2023 and linked them to a group they tracked as UNC4487 ( the materials spoke of a targeted attack on a car insurance website used by government employees in Ukraine ). But then no details were provided, and part of the community simply did not react
🙈
🙉
🙊
Jamf shows that ChillyHell uses three methods of pinning into the system. If you run it as a regular user, it is registered as LaunchAgent; if with elevation of privileges - like LaunchDaemon. And he also has a “backup airfield”: he writes autorun to ~/.zshrc / .bash_profile / .profile, so that every new terminal session brings it up again. In addition, attackers use timestomping - substitution of file timestamps in order to artificially age them and not arouse suspicion.
The modular architecture makes ChillyHell noticeably more dangerous: it supports loading additional components, performing brute-force passwords, collecting local user names for targeted attacks, and stealing credentials - in short, an excellent universal tool for those who are planning a long and targeted attack on an infected machine. At the same time, the publicly accessible sample has been lying in the Dropbox folder since 2021, remaining on the white list
📝
It is not yet clear how many cars were actually damaged. The head of Jamf Threat Labs directly responded that it was “impossible to say” how many computers were infected - but based on the architecture, analysts are inclined to believe that this is not a massive “wave” like a botnet, but a tool for targeted attacks. Apple has already revoked the certificates associated with the sample, but this does not eliminate the threat for those who have had an instance for a long time and exist autonomously
On my own behalf, I’ll add that signatures != security; modularity and multiple autostart mechanisms + timestomping - a recipe for a quiet long-term presence. So if you have poppies ( especially on Intel ), it's time to take off the rose-colored glasses
🐣
What do I recommend?
Open a terminal and enter the following:
— see unusual plists
- simple search by name
— search for indicators from the report
Take care of yourself and your devices
😉
#information_security
Open original post on TelegramRelatively new to MacOS found a backdoor with the cute name ChillyHell. Jamf Threat Labs came across a sample that someone uploaded to VirusTotal in May 2025, but technically it was signed by Apple back in 2021. That is, an officially “trusted” binary, which, if desired, does everything not only “badly”, but directly maliciously. This is a modular C++ backdoor for Intel machines, capable of loading modules, updating itself and sitting in the system for a long time, masquerading as legitimate normal software
What's especially jarring: Mandiant first mentioned a related family of malware back in 2023 and linked them to a group they tracked as UNC4487 ( the materials spoke of a targeted attack on a car insurance website used by government employees in Ukraine ). But then no details were provided, and part of the community simply did not react
Jamf shows that ChillyHell uses three methods of pinning into the system. If you run it as a regular user, it is registered as LaunchAgent; if with elevation of privileges - like LaunchDaemon. And he also has a “backup airfield”: he writes autorun to ~/.zshrc / .bash_profile / .profile, so that every new terminal session brings it up again. In addition, attackers use timestomping - substitution of file timestamps in order to artificially age them and not arouse suspicion.
The modular architecture makes ChillyHell noticeably more dangerous: it supports loading additional components, performing brute-force passwords, collecting local user names for targeted attacks, and stealing credentials - in short, an excellent universal tool for those who are planning a long and targeted attack on an infected machine. At the same time, the publicly accessible sample has been lying in the Dropbox folder since 2021, remaining on the white list
It is not yet clear how many cars were actually damaged. The head of Jamf Threat Labs directly responded that it was “impossible to say” how many computers were infected - but based on the architecture, analysts are inclined to believe that this is not a massive “wave” like a botnet, but a tool for targeted attacks. Apple has already revoked the certificates associated with the sample, but this does not eliminate the threat for those who have had an instance for a long time and exist autonomously
On my own behalf, I’ll add that signatures != security; modularity and multiple autostart mechanisms + timestomping - a recipe for a quiet long-term presence. So if you have poppies ( especially on Intel ), it's time to take off the rose-colored glasses
What do I recommend?
1️⃣ n Check /Library/LaunchDaemons and ~/Library/LaunchAgents for unusual plists and grep the contents against the names/hashes from the Jamf report2️⃣ check ~/.zshrc/.bash_profile/.profile for unfamiliar startup lines3️⃣ Check signed apps, especially those obtained through third party links/Dropbox ( not through the App Store )4️⃣ sandbox suspicious binaries and watch network activity ( C2 communications usually reveal protocol changes from ChillyHell )
Open a terminal and enter the following:
ls ~/Library/LaunchAgents /Library/LaunchDaemons
— see unusual plists
grep -R "applet" ~/Library /Library /Users 2>/dev/null
- simple search by name
grep -E "applet|chrome_render|eDrawMax" -R /Users /Library 2>/dev/null
— search for indicators from the report
Take care of yourself and your devices
#information_security
Discussion
Comments
Comments are available only to confirmed email subscribers. No separate registration or password is required: a magic link opens a comment session.
Join the discussion
Enter the same email that you already used for your site subscription. We will send you a magic link to open comments on this device.
There are no approved comments here yet.