PasivRobber is a sophisticated macOS surveillance suite discovered in March 2025. It targets applications popular among Chinese users, such as WeChat and QQ, and can exfiltrate sensitive data from various sources, including web browsers, email clients, and system files. The malware employs deceptive naming schemes and a modular architecture, indicating a deep understanding of macOS internals.
You might observe the following artifacts associated with this threat:
/Library/protect/wsus/bin/, such as goed, wsus, and center.com.apple.goed, mimicking legitimate system services.PasivRobber is distributed via a signed installer package (pkg) that contains a pre-install script to remove existing persistence mechanisms and a post-install script that verifies the macOS version before deploying the main payload. The payload includes architecture-specific binaries placed in /Library/protect/wsus/bin/.
The malware comprises several components:
goed: Launched at startup via a LaunchDaemon, it initiates the infection chain by executing wsus.
wsus: Handles remote actions, including updates via FTP, uninstallation through RPC messages, and configuration management using encrypted .ini files. It also captures screenshots and extracts data from instant messaging applications.
center: Acts as an on-device agent, collecting system information and monitoring user activity. It uses the apse binary to inject malicious code into running applications like WeChat, QQ, and WeCom, re-signing them post-injection to maintain integrity.
PasivRobber employs several obfuscation techniques:
Mimicking legitimate system processes by naming binaries similarly (e.g., goed vs. Apple's geod).
Using .gz extensions for plugin dynamic libraries instead of .dylib to conceal their true nature.
Hiding the installer from standard software lists and using deceptive Developer IDs.
The suite includes 28 plugins (named zero_*.gz) that target various data sources, parsing data from plists, SQLite databases, and more. Each plugin implements a _GetPluginName() function for identification and stores collected data in SQLite tables.
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.