•
4 min readWelcome to the Iru Threat Intelligence Report, our quarterly summary of emerging threats in the macOS ecosystem and how Iru is responding in real time. In each edition, we break down key threat discoveries and the protections we’ve deployed to keep customer devices secure.
•
10 min readIru security researchers have been hard at work hunting for vulnerabilities in macOS, reporting them to Apple before malicious actors can exploit them. This proactive approach is a cornerstone of our product strategy, benefiting not just our customers but the entire Apple ecosystem.
•
28 min readOn March 13, 2025, our team found a suspicious mach-O file on Virustotal named wsus. After our initial analysis of this file and the package which installed it, we discovered over 20 related binaries used to capture data from macOS systems and applications, including WeChat, QQ, web browsers, email, etc. This multi-binary suite indicates a deep understanding of macOS and their target applications. The software’s targeted applications and other observed network connections strongly indicate both a Chinese origin and target user base.
•
11 min readAre you curious where your peers get updates on the latest IT and security news? Or maybe you have an inside scoop on a resource or conference that deserves more recognition? We were curious, too. So, we took the question to our community in a broad survey of professionals - from security experts to technology leaders and admins. The responses gave us great insights into where IT and security practitioners are hanging out online and in-person, including the top:
•
4 min readWeb browsers are the gateway to the internet, a ubiquitous fixture of every enterprise device—making them a critical point of exposure. When managing your fleet you may ask: Are we aware of the vulnerabilities affecting our users’ browsers? While vulnerability databases are a great place to start, the widespread use of common codebases makes it harder to trace and recognize vulnerabilities that affect multiple products.
•
10 min readOver the past two parts of this series, we’ve explored vulnerabilities in macOS’s diskarbitrationd daemon. In part 1, we explored how an attacker could use it to escape the sandbox or escalate privileges. In part 2, we explored how a directory traversal attack could be used to bypass Transparency, Consent, and Control (TCC) protections. Each of these vulnerabilities highlighted the risks posed by weaknesses in macOS’s system daemons and how attackers could chain them together for even more impact.
•
16 min readOver the last few months, several Swift applications have been attributed to the North Korea Contagious Interview effort. These applications are presented to victims as part of a fake job interview process. SentinelOne recently published a blog post on “Flexible Ferret” and other related applications including two named ChromeUpdate (which was originally covered by dmpdump in their blog post) and CameraAccess. Moonlock Lab also recently covered the ChromeUpdate and CameraAccess applications in a blog post, which provided an overview of what they do.
•
4 min readWith attackers exploiting vulnerabilities three times more frequently than last year, managing vulnerabilities across a Mac fleet requires comprehensive visibility and timely action. Today, the Iru team is excited to announce Iru Vulnerability Management, which helps IT and security teams identify and remediate vulnerabilities through a unified workflow.
•
9 min readInfostealers targeting macOS are evolving rapidly, making continuous monitoring essential, which our team is always on the lookout for. Many infostealers share similar behaviors aimed at exfiltrating data from compromised systems. In fact, these similarities can make it difficult to distinguish between different infostealers without a deep understanding of what to look for.
•
10 min readActivation Lock is a theft-deterrent feature found in iOS and iPadOS devices and modern Mac computers (with the Apple T2 Security chip and Apple silicon). When such a device is attempted to be set up after having been erased, it checks with Apple servers to see if Activation Lock is on. If it is, the device requires the user’s Apple Account password before it can be used again (reactivated). This effectively removes the device’s resale value, making it less attractive to thieves.
.jpg?width=517&height=291&name=Apple-focused%20security%20threats%2040%20(1).jpg)
•
28 min readUnlike traditional viruses or ransomware, stealers are designed with a singular purpose: to quietly infiltrate systems and exfiltrate sensitive data—often without the victim even realizing it. These malicious programs are highly focused on gathering personal information, usually to be sold or used for further criminal activity.
•
18 min readIru's Threat Research team recently performed an audit on the macOS diskarbitrationd and storagekitd system daemons, uncovering several vulnerabilities. Our team reported all of them to Apple through their responsible disclosure program, and as these are fixed now, we are releasing the details in this blog series - this is part two.
•
20 min readThe Iru team is always looking out for how to help keep your devices secure. In line with that, our Threat Research team performed an audit on the macOS diskarbitrationd and storagekitd system daemons, uncovering several vulnerabilities such as sandbox escapes, local privilege escalations, and TCC bypasses. Our team reported all of them to Apple through their responsible disclosure program, and as these are fixed now, we are releasing the details.
•
23 min readIn order to provide the best possible coverage for Iru EDR, the threat intelligence team conducts threat hunts across various different data feeds. On October 15th, 2024 we came across a suspicious-looking file on VirusTotal named Cloudflare Security Authenticator/cloudflare-auth-tauri. The file had been uploaded from China on that same day, was unsigned, and had the tag for being a dropper. This application as of this writeup had 0 detections on VirusTotal.
•
15 min readFor security researchers, sometimes spending time reversing a potential suspicious file does not result in it being malicious. There is always something to learn from these efforts, and sometimes they can result in an interesting story even if it does not result in malware. I considered not writing this up but decided (with some help from friends) to release this as an article that details the process of trying to determine if something is malicious. This is one such story that details a PDF that requires a specific PDF viewer application in order to open and extract an encrypted embedded PDF to display to the user, definitely a little strange.
Iru's weekly collection of articles, videos, and research to keep IT & Security teams ahead of the curve.
Workforce Identity
Endpoint Management
Endpoint Detection & Response
Vulnerability Management
Compliance Automation
Trust Center