Patrick Wardle

Stoked for the next (ad)venture: "DoubleYou" techcrunch.com/2024/04/25/ex-… Cofounded w/ long-time friend @hexlogic, we're empowering those building security tools for Apple devices 🍎🛡️ And by bootstrapping this venture, our core value of democratizing security remains our focus!

@calif_io Very cool!🙌🏼Excited to read your (soon to be published?) technical report! ...and hey this would make for a great submission for a talk at #OBTS: objectivebythesea.org/v9/cfp.html

Early this week, we had a meeting at Apple Park in Cupertino. While there, we also shared with Apple our latest vulnerability research report: the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE. It was laser printed, in honor of our hacker friends. Full story: open.substack.com/pub/calif/p/fi…

I'll also be there, so sign up if you want to learn some filesystem trickery

1/🚨 New stealer sample on #macOS, with codebase related to #Banshee variants. No code signature. Only one detection on VirusTotal at time of analysis. Shared by @malwrhunterteam. It disguises itself as a "System and filesystem monitor daemon" and goes straight for crypto wallets, credentials, and browser data. Read more below👇

🚨 macOS malware warning🍎: Attackers are abusing Google Ads and legitimate claude.ai shared chats to distribute a #MacSync malware variant via fake “Claude Code on Mac” install steps. The flow: User searches “Claude download mac” on Google, ... @AnthropicAI

It's really hard for the end user to avoid downloading malware, even the first two ads are #Clickfix and downloading macOS stealers. sites[.]google[.]com/view/cloud-version-08 Content -> 2[.]26[.]75[.]112/Hokojol claude-desktop-app[.]framer[.]ai Content -> greenactiv[.]com

Danke to @heiseonline for the coverage of our upcoming #OFTW v4 event in Berlin! 🇩🇪 heise.de/en/news/Mac-an… If you’re a student or getting into 🍎 security, apply to attend this free two-day event ...a few spots are still left!

UPD: Our previous post had visual inconsistencies, so we decided to re-upload it with the correct imagery. 1/ We're tracking new #Odyssey #macOS #stealer activity, and this one comes with a twist in delivery: the malicious script is embedded directly into a PLIST file. Key indicators of compromise include "/api/v1/bot/repeat/" with "socks" and "joinsystem" strings. The "socks" component suggests the malware may be turning infected machines into proxy nodes - not just stealing data, but potentially building a botnet-style relay infrastructure. More geo-info below 👇

¡Es un honor compartir que asistiré a @Ekoparty para hablar sobre la investigación de vulnerabilidades asistida por IA en sistemas operativos! 🌴 Gracias, @g0njxa, por ayudarme a escribir este mensaje 😁

Super stoked for #OFTW v4! Two days of hands-on training + talks for students / those getting into 🍎 security… all free! A few spots left, so don’t wait to apply! A big mahalo to @andyrozen and to @HPI_DE for hosting 🙏🏽

🧵Found something yummy. #macOS #malware packed with PyInstaller, 1 detection on VT. Could be testing phase, could be red team. Either way, it's packed with capabilities. Let me break it down 👇 packed: 5d40c757c85814b86733d66ffc9e325b1007ac98513a20ea13a871c6964f5ba4 unpacked:74bb3b7cc661cb7712ee4f0ed2170e4fb80cd2c36e00c53128bf7ee382889a49

1/ℹ️We found a fully-featured macOS #RAT that zero AV vendors detected at the time of discovery. Meet "3Crypt RAT/C2 Capability Tester" - a #macOS binary with deep recon, persistence, evasion, and lateral movement capabilities. No real C2 infra. But don't let that fool you. 👇

🛑 26 fake wallet apps on Apple’s App Store stole recovery phrases and private keys. They mimicked MetaMask and Coinbase, worked via China-region accounts, and used phishing, OCR, or injected code to capture seed phrases. 🔗 Read → thehackernews.com/2026/04/26-fak…

9to5mac.com/2026/04/22/mos… Just added these two samples to the @objective_see public macOS malware repo! ShadeStager (stealer): github.com/objective-see/… Phoenix (first stage persistent backdoor) github.com/objective-see/… PW: infect3d #SharingIsCaring

I did some digging on these IOCs from @patrickwardle and found a number of fake Claude and mac troubleshoot pages directing users to run curl commands to a C2 of arkypc[.]com. Some are still live. Full list of landing pages and payload here: github.com/motuariki/IOCs…

Appears to now be down: claudcode.playcode.io

@objective_see user pinged me about an active ClickFix attack: https://claudcode[.]playcode[.]io/ 1️⃣ Sponsored search result 2️⃣ Mirrors Claude Design page w/ ClickFix 3️⃣ Leads to (AMOS) stealer download/persistence Luckily BlockBlock's ClickFix detections will warn you 🛡️😍

Testing <redacted> in a VM and fed its output into “AI” …which first informed me my VM is not a “valid target,” then helpfully suggested how to fix that 😵‍💫😂

Hats off to Apple for bringing in some controls for ClickFix. But I'm pretty stoked with how Phorion builds on top of this at an enterprise level with our clipboard protection 🍎

It's true, we offer scholarships and free tickets to #OBTS 😇 Direct link to #OBTS v9 scholarship application: docs.google.com/forms/d/e/1FAI…

If a macOS “repair” script needs to download coreaudiod from apple[.]driver-store[.]com, that’s not support. That’s malware delivery. This one fingerprints architecture, fetches the matching Mach-O, and runs a PyInstaller-packed payload with launchctl. #macOS #Malware Lures used in this campaign: - coreaudiod - ChromeUpdater - Microsoft/Teams - Google Payload collects: - browser data, including cookies - Slack and Telegram collection - Discord artifacts - Keychain-adjacent data access Clean lure. Dirty payload. Samples: 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6 e8ee6f5145c9d503c5130bfc6585567f6e19d409158c3c0ca0b259f1875b15f4 d4e863f9818bfb2f1dd932df6441dff204e6142c3bdb55b298cb08dc7b6a0c62 9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a