L0Psec

My new site for learning macOS malware reverse engineering: l0psec.github.io/Malware_RE_Blo… I got my start in RE by using @patrickwardle's awesome blog. I would download samples and follow along. So I created this to complement that with dives into specific code from recent samples.

both Alex Lopez (VLV25ZF66P) singed: 0517ca4649e33faefa3a6bfcd2707a8376a981be4b42b9d19146ebb93e7f8a35 - has telegram function c02c1f13c76f598634d32de19166db6f3f89b14eabd884bdde52bdcf3cf3d163 - more detections, no telegram functionality.

Interestingly, it checks if macOS version is > 24.6 with the macOSProductVersionGreaterThan_26_4() function. If greater, then the telegram function is called. Also the use of "best effort" in function deleteSelfExecutableBestEffort() is hilarious.

More DPRK (mach-O man) Alex Lopez signed samples shared by @malwrhunterteam: 0517ca4649e33faefa3a6bfcd2707a8376a981be4b42b9d19146ebb93e7f8a35 - winapp. 6 VT hits, very similar to last one covered but there's a couple updates I'll add here. 🧵

⏳Only one month left to apply for "Objective for the We" (#OFTW) v4.0 #OFTW is a free 🍏-security event empowering the next generation: 📍 Berlin 🗓️ July 30–31, 2026 More info/to apply: objective-see.org/oftw/v4.html

ClickFix has quickly become one of the biggest social engineering threats facing Mac users. In the latest Security Bite Podcast by @9to5mac, @arinwaichulis sits down with @osint_barbie from Moonlock Lab and @L0Psec to unpack why ClickFix works so well, who it targets, and how Mac malware is evolving in 2026. Listen here: 9to5mac.com/2026/05/11/sec…

@txhaflaire @malwrhunterteam Awesome thanks!

@L0Psec @malwrhunterteam Yeah it is linked to DPRK and more specifically Mach-o Man. quetzal.bitso.com/p/north-koreas…

Another cool share by @malwrhunterteam: 5d67f810bea19b9c3489e0981559af4340be39f188460938c7b11fea854ed06e. Currently has 7 VT hits, potentially DPRK? (based on detections) Most interesting thing is that it is signed: Alex Lopez (VLV25ZF66P)

postInfo() does what is expected. curl is used for the post request. set up and passed to system()

get_browser_extentions() called from buildPostBody() has readable strings related to most common browser paths. mixing camelCase and snake_case....

sys_info() func passes command strings via arg1 to runOne() which calls popen(). Can see related commands via references.

Quick summary. This looks familiar. C2 is passed via launch arg. Can see that with normalizeBaseUrl() func. Most functions called from buildPostBody() which does the info gathering.

@txhaflaire @patrickwardle appreciate ya'll!

@L0Psec Thanks for sharing @patrickwardle and uploading it onto the Objective-see malware repo. It also has made it's way onto other platforms fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142

Anyone have the hash of the python backdoor ~/.local/share/kitty/cat.py related to the Nx Console VSCode ext?🐱 sets persistence via LaunchAgent: com.user.kitty-monitor.plist. plist looks like it was uploaded to VT: 9ba33f7b640f1fbe9304c969978278a73664b9b9989689f352e5f973ae31cbf5

@vxunderground If anyone has the hash for this cat.py (backdoor) please share :)

I'M BEING FRAMED

@txhaflaire 🤣 had a feeling I was not the only one looking.

@L0Psec Been looking for this as well! we could ask the user "heyang" hah!

@SquiblydooBlog great question by the way. still possible to exec with clearing the quarantine flag (which a lot of samples do with xattr anyways). But this is different to adhoc in that gatekeeper expects a file be notarized when signed with dev ID.

@SquiblydooBlog Signing and notarization are two separate things. So these are an example of a the dev using their cert to sign the app. BUT not submitting it to Apple to be notarized (which does get scanned) and is for distributing out of App Store. So with a quarantine flag you'll see this.

Here's two potentially interesting ones shared by @malwrhunterteam. They have many adaptixC2 detections BUT were signed. com.shizhuang.itrustd. Several other files have this signature. 🧵

afe15045abdbd4a64f7d865e39d4ee0d3e9deb4d68261652a3aeb74529fc7f08 43fdeb2d20581ec089e01ab48ba6acc7266389c65cc22ea921abdc895f6f4725

They both talk to 43.133.164\.200 which currently has 2 VT hits. And there are other files with detections that are communicating as well, including PE files.