ChillyHell macOS Malware Profiles Compromised Machines and Maintain Persistence with 3 Methods

ChillyHell first surfaced on public malware repositories in early May 2025, although its developer-signed notarization dates back to 2021.

This modular backdoor has eluded detection by major antivirus vendors despite leveraging Apple’s own notarization process to appear legitimate.

By masquerading as a benign macOS applet, ChillyHell gains an initial foothold on target machines before deploying its sophisticated attack routines.

Jamf analysts noted that initial samples were delivered through compromised websites hosting what appeared to be productivity tools.

Once executed, the malware invokes a host-profiling routine that gathers detailed system information, including user directories, shell environments, and active process lists.

This reconnaissance allows the backdoor to tailor its next actions to the victim’s environment, minimizing the risk of execution errors on diverse macOS configurations.

Following this early analysis, Jamf researchers identified ChillyHell’s dual-stage persistence strategy.

In non-privileged contexts, it installs itself as a LaunchAgent, placing a plist under ~/Library/LaunchAgents/com.apple.qtop.plist and the main binary at ~/Library/com.apple.qtop/qtop.

When elevated privileges are available, it transitions to a LaunchDaemon, writing to /Library/LaunchDaemons/com.apple.qtop.plist and /usr/local/bin/qtop.

In either case, these mechanisms guarantee execution upon login or system boot, effectively transforming infected hosts into long-term assets.

In addition to launch services, ChillyHell incorporates a stealthy fallback by injecting a launch command into the user’s shell profile.

It detects the active shell—be it Zsh, Bash, or sh—then appends an invocation line to the appropriate RC file.

This ensures that even if launch services are disabled or removed, the malware reactivates during any new terminal session.

Persistence Tactics and Timestamp Manipulation

ChillyHell’s persistence routines are further bolstered by timestamp manipulation, designed to evade forensic analysis.

After creating its LaunchAgent or LaunchDaemon artifacts, the malware calls the _utime() system call to backdate creation and modification times.

If direct system calls fail due to insufficient permissions, it falls back to shell commands:-

touch -c -a -t 202101010000 /Library/LaunchDaemons/com.apple.qtop.plist
touch -c -m -t 202101010000 /usr/local/bin/qtop

This approach not only obscures the true installation date but can inadvertently manipulate APFS birth timestamps, making detection by timeline analysis tools more difficult.

By carefully selecting a date close to genuine system events, ChillyHell effectively hides its artifacts among legitimate OS updates and user-initiated changes.

Once persistence is established, ChillyHell proceeds to its main command loop, mainCycle(), after a randomized delay.

The backdoor alternates between HTTP and DNS transports, polling hardcoded C2 servers at 93.88.75.252 and 148.72.172.53 over ports 53, 80, 1001, and 8080.

Each cycle fetches new task descriptors, decodes Base64 payloads, and dynamically loads modules such as ModuleBackconnectShell for interactive reverse shells, ModuleUpdater for self-updating capabilities, and ModuleSUBF for local password brute-forcing.

By combining notarization abuse, multi-layered persistence mechanisms, and timestamp evasion, ChillyHell represents a significant advancement in macOS threats.

Cybersecurity teams should prioritize monitoring of LaunchService plists and shell RC files, as well as implement timeline analysis to detect anomalous file modification dates.

Continued collaboration between researchers and platform vendors is essential to mitigate the evolving tactics of notarized macOS malware.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.