A previously dormant macOS threat, ChillyHell, is reviving. Read how this malware can bypass security checks, remain hidden, and install itself permanently to control your Mac.
A dormant macOS threat is showing signs of new life, according to a report from cybersecurity firm Jamf. The company has been closely monitoring a macOS backdoor named ChillyHell, which has been active since 2021.
The malware was first brought to light in 2023 by cybersecurity firm Mandiant and was originally linked to a threat actor tracked as UNC4487, known for targeting a Ukrainian auto insurance website to deliver the MATANBUCHUS malware.
Latest research by Jamf Threat Labs team revealed that a new sample, designed for Intel-based Macs, was uploaded to VirusTotal on May 2nd, 2025, showing the malware is still evolving. As shown in the image, a “zero” detection score on VirusTotal is very unusual for such a threat.
Further probing reveals that ChillyHell has a modular design, which allows it to have multiple functions. Moreover, it could be used for remote access, dropping additional payloads, or even cracking passwords.
More importantly, this malware even passed Apple’s notarization process, which is designed to check apps for malicious content. This means the malware was signed and notarised by a developer. This malicious file was also publicly hosted on Dropbox since 2021.
How ChillyHell Stays Hidden
As we know it, most malware leaves clues for security researchers to find, but ChillyHell is unique as it uses clever tactics to remain hidden. For example, the malware performs a technique called timestomping to change the timestamps on files it creates. This makes them appear to be older than they are, making it difficult to trace when the attack happened.
The malware also changes the way it communicates with its control servers to avoid detection. Furthermore, to stay hidden from the user, the malware opens a decoy Google.com page in a browser, which can minimise suspicion.
“It opens a decoy URL (
google.com) in the default web browser for reasons not fully known at this time, although the current belief is to minimize user suspicion.”Jamf Threat Labs
This report, shared with Hackread.com, goes into detail about how the malware works. Such as to ensure it stays on a computer, the malware supports three different ways to install itself permanently.
- As a LaunchAgent, it starts whenever a user logs in.
- As a LaunchDaemon, it starts with the computer itself, even before a user logs in.
- By Shell profile injection, which runs whenever a new command window is opened.
Additionally, it can execute various tasks, including connecting to a remote server to give the attacker a command line to control the computer, or even to crack user passwords.
The good news is that the Jamf team worked with Apple to quickly revoke the developer certificates associated with the malware. However, this discovery highlights a troubling new reality that “not all malicious code comes unsigned,” and that threats are quickly advancing on macOS.
