Cuckoo is an info stealer that typically masquerades as macOS applications such as Homebrew and Google Chrome. Discovered by Kandji in 2024, it has been known to steal passwords, as well as recording audio and video from an infected system.
You might observe the following artifacts associated with this threat:
Developed in Objective-C, Cuckoo has typically been seen running from a macho binary called upd. The upd binary was first seen being packaged with shovelware. Since then it has evolved into masquerading as macOS package managers such as Homebrew and Google Chrome.
Some of Cuckoos capabilities include:
Update (5/29/2026): Cuckoo Malware Evolves
Further communal investigation revealed Cuckoo evolution with domains hosted in Russia.
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.