Workforce Identity
Endpoint Management
Endpoint Detection & Response
Vulnerability Management
Compliance Automation
Trust Center
PasivRobber is a sophisticated macOS surveillance suite discovered in March 2025. It targets applications popular among Chinese users, such as WeChat and QQ, and can exfiltrate sensitive data from various sources, including web browsers, email clients, and system files. The malware employs deceptive naming schemes and a modular architecture, indicating a deep understanding of macOS internals.
Symptoms
You might observe the following artifacts associated with this threat:
- Presence of unfamiliar binaries in
/Library/protect/wsus/bin/, such asgoed,wsus, andcenter. - Installation of a LaunchDaemon labeled
com.apple.goed, mimicking legitimate system services. - Unexpected prompts for system credentials or unusual network activity, including FTP connections.
- Altered or re-signed versions of applications like WeChat and QQ.
Technical Breakdown
PasivRobber is distributed via a signed installer package (pkg) that contains a pre-install script to remove existing persistence mechanisms and a post-install script that verifies the macOS version before deploying the main payload. The payload includes architecture-specific binaries placed in /Library/protect/wsus/bin/.
The malware comprises several components:
goed: Launched at startup via a LaunchDaemon, it initiates the infection chain by executingwsus.wsus: Handles remote actions, including updates via FTP, uninstallation through RPC messages, and configuration management using encrypted.inifiles. It also captures screenshots and extracts data from instant messaging applications.center: Acts as an on-device agent, collecting system information and monitoring user activity. It uses theapsebinary to inject malicious code into running applications like WeChat, QQ, and WeCom, re-signing them post-injection to maintain integrity.
PasivRobber employs several obfuscation techniques:
Mimicking legitimate system processes by naming binaries similarly (e.g.,
goedvs. Apple'sgeod).Using
.gzextensions for plugin dynamic libraries instead of.dylibto conceal their true nature.Hiding the installer from standard software lists and using deceptive Developer IDs.
The suite includes 28 plugins (named zero_*.gz) that target various data sources, parsing data from plists, SQLite databases, and more. Each plugin implements a _GetPluginName() function for identification and stores collected data in SQLite tables.
Next Steps
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.