A new wave of macOS-targeted malware has emerged under the radar—despite employing advanced process reconnaissance and maintaining successful notarization status for years.
Jamf Threat Labs recently uncovered a developer-signed sample on VirusTotal that used sophisticated endpoint profiling and established persistence using several different mechanisms.
The malware, dubbed ChillyHell, has evaded popular antivirus detections even as its lineage traces back to campaigns that targeted high-value Ukrainian government users.
ChillyHell is not an unknown entity in the threat landscape. Initially detailed in a private 2023 Mandiant report, this malware was loosely linked to attacks against Ukrainian officials.
In one case, the threat actor (UNC4487) compromised a Ukrainian auto insurance website—mandated for use by government employees—delivering the MATANBUCHUS malware.
This access was then sold off to other malicious parties. ChillyHell was uncovered when Mandiant followed the trail of code-signing certificates used by MATANBUCHUS, exposing two different macOS samples: one bundled with a covert SSH server, and another stripped-down variant.
Notably, the more robust eDrawMaxBeta sample was notarized by Apple using TEAMID F645668Q3H, while its counterpart, chrome_render, using TEAMID R868N47FV5, was not.
In May 2025, Jamf researchers encountered a new ChillyHell sample (applet.app) on VirusTotal, notarized in 2021 and bearing the same TEAMID as the prior chrome_render variant.
This sample, despite being publicly hosted on Dropbox for years, remained notarized and undetected—a testament to the malware operator’s evasion skills.
Deep Machine Profiling
The analyzed executable is a C++ modular backdoor, masquerading as a harmless applet but lacking any legitimate AppleScript functionality that a benign macOS applet would possess.
Its true purpose is activated upon execution, when it immediately collects environmental data and sets up persistence.
Host Profiling: ChillyHell’s OS::StartupLogic() profiles the host by enumerating user accounts using directory services, harvesting environment variables such as $HOME, $PATH, and $SHELL, and collecting active process information with both API calls and shell commands (ps ax).
DNS query that contains host-derived metadata used for tasking.
It further validates which user context it operates under, invoking both direct system calls and shell commands.
Persistence: Perhaps ChillyHell’s greatest stealth is its versatile persistence trifecta:
- LaunchAgent (User Context): Installs itself for execution upon user login via a LaunchAgent property list and drops its binary into the user’s library.
- LaunchDaemon (Root/System Context): If running with elevated privileges, ChillyHell sets itself up system-wide as a LaunchDaemon, ensuring execution at boot and higher privilege.
- Shell Profile Injection: As a fallback, it modifies the active user’s shell configuration files (e.g.,
.zshrc,.bash_profile), injecting launch commands for persistence each time a terminal session starts.
During installation, the malware also employs “timestomping” to set the metadata of its files and artifacts far back in time, using low-level APIs and touch shell commands.
This obfuscates the presence and age of the implant, making forensic detection significantly more challenging.
C2 Initialization: ChillyHell establishes connectivity via TransportInit(), checking for internet reachability and then cycling through a hardcoded list of C2 servers over DNS and HTTP.
Due to the way macOS and the APFS file system work, adjusting the modified timestamp could inadvertently result in a backdated birth timestamp.
Its main control loop (mainCycle()) constantly retrieves, deduplicates, and executes attacker commands, including:
- Spawning reverse shells through pseudo-terminal backconnects.
- Downloading self-updates and arbitrary payloads.
- Running local brute force attacks against user passwords via a dedicated Kerberos tool and wordlist, with cracked credentials exfiltrated to the attackers.
ChillyHell exemplifies the modern macOS threat: modular, persistent through multiple vectors, and adept at blending in via notarization and timestomping.
The fact that it remained notarized and available to the public for years underscores the persistence challenges facing defenders on macOS.
The flexibility provided by its three-pronged persistence methods and modular architecture augments its threat potential, particularly when paired with credential theft and password brute-forcing capabilities.
This campaign is a crucial reminder that notarization alone is not a guarantee of safety—and that persistent, evolving threats continue to target macOS environments.
Jamf Threat Labs credited Google Threat Intelligence and Apple for rapid response and certificate revocation efforts, but further vigilance is essential as attackers refine these methods.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
