L0Psec

My new site for learning macOS malware reverse engineering: l0psec.github.io/Malware_RE_Blo… I got my start in RE by using @patrickwardle's awesome blog. I would download samples and follow along. So I created this to complement that with dives into specific code from recent samples.

ClickFix has quickly become one of the biggest social engineering threats facing Mac users. In the latest Security Bite Podcast by @9to5mac, @arinwaichulis sits down with @osint_barbie from Moonlock Lab and @L0Psec to unpack why ClickFix works so well, who it targets, and how Mac malware is evolving in 2026. Listen here: 9to5mac.com/2026/05/11/sec…

@txhaflaire @malwrhunterteam Awesome thanks!

@L0Psec @malwrhunterteam Yeah it is linked to DPRK and more specifically Mach-o Man. quetzal.bitso.com/p/north-koreas…

Another cool share by @malwrhunterteam: 5d67f810bea19b9c3489e0981559af4340be39f188460938c7b11fea854ed06e. Currently has 7 VT hits, potentially DPRK? (based on detections) Most interesting thing is that it is signed: Alex Lopez (VLV25ZF66P)

postInfo() does what is expected. curl is used for the post request. set up and passed to system()

get_browser_extentions() called from buildPostBody() has readable strings related to most common browser paths. mixing camelCase and snake_case....

sys_info() func passes command strings via arg1 to runOne() which calls popen(). Can see related commands via references.

Quick summary. This looks familiar. C2 is passed via launch arg. Can see that with normalizeBaseUrl() func. Most functions called from buildPostBody() which does the info gathering.

@txhaflaire @patrickwardle appreciate ya'll!

@L0Psec Thanks for sharing @patrickwardle and uploading it onto the Objective-see malware repo. It also has made it's way onto other platforms fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142

Anyone have the hash of the python backdoor ~/.local/share/kitty/cat.py related to the Nx Console VSCode ext?🐱 sets persistence via LaunchAgent: com.user.kitty-monitor.plist. plist looks like it was uploaded to VT: 9ba33f7b640f1fbe9304c969978278a73664b9b9989689f352e5f973ae31cbf5

@vxunderground If anyone has the hash for this cat.py (backdoor) please share :)

I'M BEING FRAMED

@txhaflaire 🤣 had a feeling I was not the only one looking.

@L0Psec Been looking for this as well! we could ask the user "heyang" hah!

@SquiblydooBlog great question by the way. still possible to exec with clearing the quarantine flag (which a lot of samples do with xattr anyways). But this is different to adhoc in that gatekeeper expects a file be notarized when signed with dev ID.

@SquiblydooBlog Signing and notarization are two separate things. So these are an example of a the dev using their cert to sign the app. BUT not submitting it to Apple to be notarized (which does get scanned) and is for distributing out of App Store. So with a quarantine flag you'll see this.

Here's two potentially interesting ones shared by @malwrhunterteam. They have many adaptixC2 detections BUT were signed. com.shizhuang.itrustd. Several other files have this signature. 🧵

afe15045abdbd4a64f7d865e39d4ee0d3e9deb4d68261652a3aeb74529fc7f08 43fdeb2d20581ec089e01ab48ba6acc7266389c65cc22ea921abdc895f6f4725

They both talk to 43.133.164\.200 which currently has 2 VT hits. And there are other files with detections that are communicating as well, including PE files.

@greglesnewich Nah, I’m the same. (Unless we both boring lol) I use so many VMs for RE that I just use the default terminal out of comfort. Just got to increase the font size because I’m aging 😂

Am I boring for using the normal terminal on my MacBook instead of an aftermarket one?

@horsepower Zn6/zc6. New chassis you won’t have 20-30 year old car problems. Fa20 is great. Overfill and send it.

Half of me wants to settle for an E36, ZN6, or G37 as a starting base. The other half of me wants to go ahead and jump the gun on an S13 or S14.

DMG - 31fc6e6e7b67cd5f3790631c11bcfe81dfcb7be25e1e50cde9418b05b9cd6f80 machO - 6d979466596978ffcb633a0b8c47adedd0778555c0e513fc3d3c84bcef6f036b appstore\.ms snowpersone\.com

Running the sample to observe the curl calls, we can see the domains and also the subdomains ("usa" and "asia") used along with snowpersone\.com.

Quick post about a stealer masquerading as DocuSign shared by @malwrhunterteam: 6d979466596978ffcb633a0b8c47adedd0778555c0e513fc3d3c84bcef6f036b (macho - 6 VT hits) and uses simple XOR for strings. 🧵