•
4 min readWelcome to the Iru Threat Intelligence Report, our quarterly summary of emerging threats in the macOS ecosystem and how Iru is responding in real time. In each edition, we break down key threat discoveries and the protections we’ve deployed to keep customer devices secure.
•
10 min readIru security researchers have been hard at work hunting for vulnerabilities in macOS, reporting them to Apple before malicious actors can exploit them. This proactive approach is a cornerstone of our product strategy, benefiting not just our customers but the entire Apple ecosystem.
•
28 min readOn March 13, 2025, our team found a suspicious mach-O file on Virustotal named wsus. After our initial analysis of this file and the package which installed it, we discovered over 20 related binaries used to capture data from macOS systems and applications, including WeChat, QQ, web browsers, email, etc. This multi-binary suite indicates a deep understanding of macOS and their target applications. The software’s targeted applications and other observed network connections strongly indicate both a Chinese origin and target user base.
•
4 min readWeb browsers are the gateway to the internet, a ubiquitous fixture of every enterprise device—making them a critical point of exposure. When managing your fleet you may ask: Are we aware of the vulnerabilities affecting our users’ browsers? While vulnerability databases are a great place to start, the widespread use of common codebases makes it harder to trace and recognize vulnerabilities that affect multiple products.
•
10 min readOver the past two parts of this series, we’ve explored vulnerabilities in macOS’s diskarbitrationd daemon. In part 1, we explored how an attacker could use it to escape the sandbox or escalate privileges. In part 2, we explored how a directory traversal attack could be used to bypass Transparency, Consent, and Control (TCC) protections. Each of these vulnerabilities highlighted the risks posed by weaknesses in macOS’s system daemons and how attackers could chain them together for even more impact.
•
16 min readOver the last few months, several Swift applications have been attributed to the North Korea Contagious Interview effort. These applications are presented to victims as part of a fake job interview process. SentinelOne recently published a blog post on “Flexible Ferret” and other related applications including two named ChromeUpdate (which was originally covered by dmpdump in their blog post) and CameraAccess. Moonlock Lab also recently covered the ChromeUpdate and CameraAccess applications in a blog post, which provided an overview of what they do.
•
9 min readInfostealers targeting macOS are evolving rapidly, making continuous monitoring essential, which our team is always on the lookout for. Many infostealers share similar behaviors aimed at exfiltrating data from compromised systems. In fact, these similarities can make it difficult to distinguish between different infostealers without a deep understanding of what to look for.
.jpg?width=517&height=291&name=Apple-focused%20security%20threats%2040%20(1).jpg)
•
28 min readUnlike traditional viruses or ransomware, stealers are designed with a singular purpose: to quietly infiltrate systems and exfiltrate sensitive data—often without the victim even realizing it. These malicious programs are highly focused on gathering personal information, usually to be sold or used for further criminal activity.
•
18 min readIru's Threat Research team recently performed an audit on the macOS diskarbitrationd and storagekitd system daemons, uncovering several vulnerabilities. Our team reported all of them to Apple through their responsible disclosure program, and as these are fixed now, we are releasing the details in this blog series - this is part two.
•
20 min readThe Iru team is always looking out for how to help keep your devices secure. In line with that, our Threat Research team performed an audit on the macOS diskarbitrationd and storagekitd system daemons, uncovering several vulnerabilities such as sandbox escapes, local privilege escalations, and TCC bypasses. Our team reported all of them to Apple through their responsible disclosure program, and as these are fixed now, we are releasing the details.
•
23 min readIn order to provide the best possible coverage for Iru EDR, the threat intelligence team conducts threat hunts across various different data feeds. On October 15th, 2024 we came across a suspicious-looking file on VirusTotal named Cloudflare Security Authenticator/cloudflare-auth-tauri. The file had been uploaded from China on that same day, was unsigned, and had the tag for being a dropper. This application as of this writeup had 0 detections on VirusTotal.
•
15 min readFor security researchers, sometimes spending time reversing a potential suspicious file does not result in it being malicious. There is always something to learn from these efforts, and sometimes they can result in an interesting story even if it does not result in malware. I considered not writing this up but decided (with some help from friends) to release this as an article that details the process of trying to determine if something is malicious. This is one such story that details a PDF that requires a specific PDF viewer application in order to open and extract an encrypted embedded PDF to display to the user, definitely a little strange.
•
19 min readA signed file named TodoTasks was uploaded to VirusTotal on 2024-07-24. This application shares several behaviors with malware we’ve seen that originated in North Korea (DPRK)—specifically the threat actor known as BlueNoroff—such as KandyKorn and RustBucket; given these commonalities, we believe this new malware—which we’re dubbing TodoSwift—is likely from the same source.
•
13 min readOn July 29, @4n6Bexaminer tweeted about a new macOS stealer. Moments later, Hunt.io tweeted about the same new malware and then released a blog post about it on July 30. That post focused primarily on the malicious bash scripts that were downloaded from the command-and-control (C2) server and then executed as the second stage.
•
4 min readI recently came across a persistence feature in macOS that's tied to Dock tile plugins.
Iru's weekly collection of articles, videos, and research to keep IT & Security teams ahead of the curve.
Workforce Identity
Endpoint Management
Endpoint Detection & Response
Vulnerability Management
Compliance Automation
Trust Center