Ferdous Saljooki

416 posts

Ferdous Saljooki

@malwarezoo

staff macOS security researcher @jamfsoftware views are my own

Toronto Katılım Haziran 2017

387 Takip Edilen820 Takipçiler

Ferdous Saljooki retweetledi

Thijs Xhaflaire@txhaflaire·20 Oca

Are you using Visual Studio Code? Then this new blog from Jamf Threat Labs might have some takeaways for you! In this blog, we’ll shed light on newer techniques being used by DPRK-linked threat actors related to Contagious Interview, including a newly observed backdoor component. jamf.com/blog/threat-ac… #malware #git #macos #ThreatHunting #jamf

English

1.8K

Ferdous Saljooki retweetledi

Objective-See Foundation@objective_see·5 Oca

🎉 A decade of Mac malware research 🎉 Just published our 10th annual “The Mac Malware of <year>” report ...2025 edition! For each new sample of 2025, covers: 🔎 IoCs 💉 Infection 💾 Persistence 📡 Capabilities ☣️ Samples for download Dive in 👇 objective-see.org/blog/blog_0x84…

English

24.8K

Ferdous Saljooki retweetledi

Andre Gironda@AndreGironda·25 Kas

JAMF , FlexibleFerret malware -- jamf.com/blog/flexiblef…

English

Ferdous Saljooki retweetledi

Thijs Xhaflaire@txhaflaire·13 Kas

New research just published by Jamf Threat Labs, dissecting the new DigitStealer malware. Read more about it here! jamf.com/blog/jtl-digit…

English

16.2K

Ferdous Saljooki@malwarezoo·21 Eki

Another awesome #OBTS in the books! It was great catching up with friends, meeting new people, and hearing so many excellent talks. Huge thanks to @patrickwardle and @andyrozen for putting on such an amazing event.

English

1.7K

Ferdous Saljooki retweetledi

Anastasiia Kiosieva@Mrs_Moof·17 Eki

Great talk by Sal @malwarezoo about malware bypassing macOS Gatekeeper

Mussy@Mu55sy

🧾 Coroner’s report: Subject: malicious app Cause of death: CDHash revocation Status: …sits up and walks out. “Revoked, Not Dead” just opened Day 3 at #OBTS 🍏 and Ferdous Saljooki @malwarezoo went full Die Hard: the villain isn’t gone—Gatekeeper bypass + CDHash runtime gap lets already-revoked, ad-hoc–signed malware run without re-signing. Yippee-ki-yay, revocation. Takeaways for hunters: look for ad-hoc executables launching post-revocation, odd quarantine/xattr states, and Gatekeeper/AMFI logs that don’t match the “kill switch” story. Only here do “dead” binaries get a sequel—and you leave with the script to catch them.

English

3.5K

Ferdous Saljooki retweetledi

Doc Dave@forensicdave·17 Eki

Sal (@malwarezoo) from @jamf gave an excellent talk at #OBTS of how Apple tracks and revokes malicious apps. But Revoked doesn’t always mean Vanquished! Sal found a Gatekeeper/CDHash weakness that brings blocked apps back to life — no re-signing required. #CVE-2025-43296

English

2.3K

Ferdous Saljooki retweetledi

Objective-See Foundation@objective_see·12 Eki

Stoked for this #OBTS talk (and congrats on the CVE @malwarezoo)! ...but phew, Apple cutting it close on the patch!⌛️😅

Ferdous Saljooki@malwarezoo

Excited to be presenting again at #OBTS to share my research on how Apple revokes ad-hoc signed malware. Just in time for my talk, CVE-2025-43296 fixes a user-assisted Gatekeeper bypass allowing revoked ad-hoc signed malware to execute. Be sure to check out "Revoked, Not Dead: When CDHash Revocation Fails to Kill."

English

3.1K

Ferdous Saljooki@malwarezoo·12 Eki

English

5.9K

Ferdous Saljooki retweetledi

Josh Avraham@josh_avraham·10 Eki

Very excited to see interesting Gatekeeper research! security.apple.com/blog/apple-sec…

English

Ferdous Saljooki retweetledi

Patrick Wardle@patrickwardle·11 Eki

The new What’s Your Sign v1.3.0 adds tons of requested features from built-in update checks, CD hashes, & more! Big mahalo to @malwarezoo for input/testing! 🙏 (and don’t miss his #OBTS v8 talk: “Revoked, Not Dead: When CDHash Revocation Fails to Kill”) objective-see.org/products/whats…

English

2.9K

Ferdous Saljooki retweetledi

Patrick Wardle@patrickwardle·15 Eyl

macOS Tahoe ships with a 0day ...based on a bug disclosed 8(!) years ago at #OBTS v1.0 🫣 New post: "From Spotlight to Apple Intelligence: Abusing an 0day to steal the data that fuels macOS AI": objective-see.org/blog/blog_0x81… ...with open-source PoC! Takeaway? Always attend #OBTS 😄

English

106

338

36.6K

Ferdous Saljooki@malwarezoo·10 Eyl

@L0Psec Thanks :)

English

126

L0Psec@L0Psec·10 Eyl

@malwarezoo Super cool! Thanks for sharing. Looks like a fun sample :)

English

233

Ferdous Saljooki@malwarezoo·10 Eyl

Excited to share our research on ChillyHell, a modular macOS backdoor targeting officials in Ukraine. Check out our write-up for more details. jamf.com/blog/chillyhel…

English

4.8K

Ferdous Saljooki@malwarezoo·10 Eyl

@greglesnewich @osint_barbie @JamfSoftware Thanks!

English

Greg Lesnewich@greglesnewich·10 Eyl

@osint_barbie @JamfSoftware Hell yeah good shit @malwarezoo !!

English

237

Ferdous Saljooki retweetledi

xiu@osint_barbie·10 Eyl

Highly recommend reading this great article by @JamfSoftware😍 jamf.com/blog/chillyhel… Some IOCs (see the write-up for the full list 😉): - Mach-O: 6a144aa70128ddb6be28b39f0c1c3c57d3bf2438 - Team IDs: R868N47FV5, F645668Q3H - IPs: 93[.]88[.]75[.]252, 148[.]72[.]172[.]53

English

12.8K

Ferdous Saljooki@malwarezoo·10 Eyl

@osint_barbie Appreciate it!

English

107

xiu@osint_barbie·10 Eyl

@malwarezoo Awesome! Thanks for your work 🫶

English

178

Ferdous Saljooki@malwarezoo·23 Tem

It’s an honor to be speaking at #OBTS again alongside so many incredible researchers. I’ll be sharing simple bugs that bypass Gatekeeper and CDHash revocation, allowing revoked ad-hoc signed malware to run without any re-signing.

Objective-See Foundation@objective_see

📢 Just dropped: the full #OBTS v8 talk lineup! objectivebythesea.org/v8/talks.html And for the first time we'll have 3 full days of presentations! 🤩 Congrats to the selected speakers and mahalo to all who submitted. With ~100 submissions, selecting the final talks was a daunting task! 😫

English

3.2K

Ferdous Saljooki retweetledi

Thijs Xhaflaire@txhaflaire·16 Tem

Jamf Threat Labs uncovered a new variant of the Odyssey Infostealer — signed and notarized at the time of discovery. This variant includes backdoor functionality and techniques that align with recent Atomic Stealer research by @moonlock_lab. More here: jamf.com/blog/signed-an…

English

3.4K

Ferdous Saljooki@malwarezoo·19 Haz

Iocs: virustotal.com/gui/file/58463… virustotal.com/gui/file/7aa1e… 2/2

Italiano

648

Ferdous Saljooki@malwarezoo·19 Haz

BlueNoroff has been actively targeting victims in the crypto space. On macOS, they've used Script Editor for initial access and now leveraging Automator to bypass Gatekeeper checks. Here are two lures that cleverly download additional payloads and display a decoy PDF, all via Automator workflows. Victim instructions: "Click 'Run' button at the top right to extract and open PDF" 1/n

English

6.1K

Keşfet

@patrickwardle @andyrozen @Jamf @L0Psec @greglesnewich @osint_barbie @JamfSoftware @elonmusk