{ "id": "896fb10e-548e-4cee-978f-4d43400ba77a", "created_at": "2026-04-06T00:11:08.626933Z", "updated_at": "2026-04-10T03:35:25.989044Z", "deleted_at": null, "sha1_hash": "14fd8917a4b31953cdcb63e2a686e3fdd7d6139d", "title": "Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1177373, "plain_text": "Storm Cloud on the Horizon: GIMMICK Malware Strikes at\r\nmacOS\r\nBy mindgrub\r\nPublished: 2022-03-22 · Archived: 2026-04-05 13:24:37 UTC\r\nIn late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security\r\nMonitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and\r\nsubsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and\r\nthe system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. Volexity\r\nwas able to run Surge Collect to acquire system memory (RAM) and select files of interest from the machine for\r\nanalysis. This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK. Volexity\r\nhas encountered Windows versions of the malware family on several previous occasions.\r\nGIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack\r\norganizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting\r\nservices (such as Google Drive) for command-and-control (C2) channels. The newly identified macOS variant is\r\nwritten primarily in Objective C, with Windows versions written in both .NET and Delphi. Despite core\r\ndifferences in programming languages used and operating systems targeted, Volexity tracks the malware under the\r\nsame name due to shared C2 architecture, file paths, and behavioral patterns used by all variants.\r\nhttps://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/\r\nPage 1 of 10\n\nFigure 1. The GIMMICK workflow\r\nThis blog post provides an in-depth analysis of the macOS variant of GIMMICK, but also demonstrates the\r\nfeatures and characteristics of the Windows variant. Volexity discovered this sample through memory analysis of\r\nthe compromised system and was able to recover the implant from both memory and disk. The file name and\r\ninstall path were unique to the victim system and had been configured in a manner designed to blend in with job\r\nfunctions of the user. Additionally, GIMMICK was configured to only communicate with its Google Drive-based\r\nC2 server on working days in order to further blend in with network traffic in the target environment.\r\nThe SHA1 hash of the file Volexity was able to obtain from disk was\r\n“fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8”.\r\nVolexity worked closely with Apple to add protections for the GIMMICK malware across their userbase. On\r\nMarch 17, 2022, Apple pushed new signatures to XProtect and MRT to block and remove GIMMICK. Though on\r\nby default, users can confirm they are automatically protected by verifying the “Install system data files and\r\nsecurity updates” box is checked in their Settings (instructions can be found here).\r\nStartup and Initialization\r\nOn macOS, GIMMICK was found to support being launched as a daemon on the system or by a user. Should\r\nGIMMICK be launched directly by a user, rather than a daemon, it will install itself as a launch agent by dropping\r\na PLIST file with contents, similar to that shown below, to /Users/\u003cusername\u003e/Library/LaunchAgents. The name\r\nof the binary, PLIST, and agent will vary per sample. In the case observed by Volexity, the implant was\r\ncustomized to imitate an application commonly launched by the targeted user. It is worth noting that the Windows\r\nversions of GIMMICK Volexity has observed have no concept of setting their own persistence.\r\nhttps://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/\r\nPage 2 of 10\n\n?xml version=”1.0″ encoding=”UTF-8″?\u003e\n\nLabelcom. /[applicationname].va.plistProgramArguments/Users/#####/Library/Preferences/[pathto/binary]\u003e/RunAtLoadStartInterval30ThrottleInterval2WorkingDirectory/Users//Library/Preferences/[applicationname]string\u003e\nLikewise, the implant provides an uninstall function accessible by adding the argument “uninstall” on the\ncommand line. This removes the implant and all associated files, and then kills the process.\nDuring initialization, the sample decodes several pieces of data critical to the malware operation using a rotating\naddition algorithm.\nThe first decoding loop results in a JSON object containing OAuth2 credentials for establishing a session to\nGoogle Drive. An example JSON object is shown in Figure 2:\nhttps://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/\nPage 3 of 10\n\nFigure 2. An example JSON object containing credentials required to authenticate with Google Drive\r\nThe second loop decodes the 32-byte string “943c3743f72f06e58e60fa147481db83”. This string is run through an\r\nadditional conversion stage that converts two characters at a time into a numeric representation and writes the\r\nresulting byte to a buffer. This buffer is used as an AES key in several calls to CCCrypt() function.\r\nFigure 3. AES key conversion\r\nhttps://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/\r\nPage 4 of 10\n\nThe final decode is done in place and its result is a 200-byte binary blob of configuration data, with only a few\r\nseemingly visible data boundaries.\r\nFigure 4: Config blob\r\nOutside of this data obfuscation, and the use of AES for certain external files, the malware makes little attempt to\r\nobfuscate its functionality or presence on the system.\r\nC2 Protocol\r\nPost initialization, the operation of the GIMMICK malware is highly asynchronous. Prior variants of the malware\r\nwritten for Windows have managed this using thread pool techniques internal to the program, provided by\r\nDelphi’s System.Threading.TThreadPool and .NET’s System.Thread and System.Action. The macOS variant,\r\nhowever, manages the protocol using Apple’s Grand Central Dispatch (GCD) technology. This feature allows\r\ndevelopers to distribute tasks to a system-managed pool of threads for later processing. These tasks are\r\nencapsulated into self-contained objects called blocks which are scheduled on dispatch queues for processing. The\r\nprecise structures and implementation details of GCD are fairly complicated and beyond the scope of this\r\ndocument; several resources are provided in the Appendix.\r\nThere are three custom ObjectiveC classes in the malware that manage critical aspects of the C2 protocol:\r\nDriveManager, FileManager, and GCDTimerManager.\r\nDriveManager has several responsibilities:\r\nManage the Google Drive and proxy sessions.\r\nMaintain a local map of the Google Drive directory hierarchy in memory.\r\nManage locks for synchronizing tasks on the Google Drive session.\r\nHandle download and upload tasks to and from the Google Drive session.\r\nBased on the way command files are enumerated by the malware, the Google Drive appears to be populated with a\r\ndirectory for each infected host. The name of this directory differs slightly by platform. Windows implants\r\ngenerate a unique GUID to operate as their ID, while the macOS implant uses Apple’s own Hardware UUID for\r\nthe task.\r\nhttps://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/\r\nPage 5 of 10\n\nFileManager manages a local directory hierarchy containing C2 information and command tasks in various stages\r\nof completion. Older variants of GIMMICK used slightly different names for directories, but they have remained\r\nconsistent across several recent variants. The macOS implant stores this hierarchy in the root directory of the\r\napplication’s main bundle in a directory named “MGD”. Each folder within the directory structure is designated\r\nfor holding a single type of file as it moves through the C2 process. A summary all directories and their purpose\r\nare given in the table below.\r\nName\r\nInterpreted\r\nMeaning\r\nContents\r\ntmp Temporary\r\nTemporary safe location for writing files; no dispatch code is checking files in\r\nthis directory\r\nc Credentials Stores the AES- encrypted credentials JSON decoded during initialization\r\ne Errors\r\nStores error logs as individual files; errors are reported as opaque integral\r\nvalues of usually four digits\r\np Proxies Stores proxy definition files consisting of a host and port separated by a “:”\r\nu Upload Command Stored AES-encrypted command results pending upload\r\nd\r\nDownload\r\nCommand\r\nStores pending download command files, each containing the Google Drive\r\npath of a command file to be downloaded\r\nds\r\nDownload\r\nSuccess\r\nStorage location for downloaded AES-encrypted command files awaiting\r\nprocessing\r\ndf Download Failed\r\nTemporary location for failed download command until they can be retried or\r\ncleared\r\nl List Command\r\nStores pending list of command files that indicate the directory of the Google\r\nDrive from which to download commands\r\nls List Success\r\nStores temporary listing files containing paths of remote Google Drive files to\r\nbe download\r\nlf List Failed\r\nTemporary location for failed list commands until they can be retried or\r\ncleared\r\nNot all variants of GIMMICK use all directories. For instance, the macOS implant does not use the “df” directory,\r\nand it creates, but does not access, the “lf” and “p” directories.\r\nGCDTimerManager manages the various GCD objects that ensure the regular dispatching of work for the implant\r\nand holds collections of the dispatch timers along with their corresponding blocks. The malware creates several\r\nnamed dispatch queues for managing specific C2-related tasks:\r\nhttps://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/\r\nPage 6 of 10\n\nName Purpose\r\nSendBaseinfoQueue\r\nRegularly generates and sends a system reconnaissance heartbeat message to the\r\nC2 containing the following:\r\nHardware UUID\r\nMAC address of the eth0 interface\r\nCPU model string\r\nOS Version string\r\nlist_request_queue\r\nGenerates a list request file in the “l” directory containing a path in the format\r\n“/\u003cHardwareUUID\u003e”\r\nls_cmd_queue\r\nParses files from the “ls” directory and for each line, writes a corresponding\r\ndownload command file to the “d” directory\r\nReadCmdQueue\r\nDecrypts and parses files from the “ds” directory, and executes the commands\r\ncontained within, saving results to the “u” directory\r\nCredsCheck Checks for timeout of the Google Drive session, and re-authenticates if necessary\r\nDriveClearTrashQueue Regularly deletes the Google Drive trash file\r\nDriveDownQueue\r\nParses files stored in the “d”, and downloads corresponding files from Google\r\nDrive to the “ds” directory\r\nDriveUploadQueue Uploads feedback files stored in the “u” directory\r\nDriveFailUploadQueue\r\nSecond attempt to upload any failed upload items. Second attempt is marked\r\nsuccessful regardless of result.\r\nfileListQueue\r\nParses files stored in the “l” directory and for each, updates the DriveManager’s\r\ndirectory map of the Google Drive, and generates a listing of files to download in\r\nthe “ls” directory\r\nIn addition, GCDTimerManager uses the static config information decoded during initialization to set a work\r\nperiod for the implant, limiting off-hour connections that might draw defender attention. It parses the work period\r\nfrom the string at the very start of the config data. This string starts with a set of single-digit numbers separated by\r\nhyphen characters, followed by two colon characters and two two-digit numbers separated again by a hyphen. The\r\nfirst set of numbers indicate the day number the malware will be active, with day 0 being Sunday. The second set\r\nof two-digit numbers indicate the range of active hours. Taking the initial value of “1-2-3-4-5::00-23”, the implant\r\nwill be active from 12AM to 11PM on weekdays—this is the first data seen in the Configuration blob shown in\r\nFigure 4.\r\nCommand Lifetime\r\nhttps://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/\r\nPage 7 of 10\n\nDue to the asynchronous nature of the malware operation, command execution requires a staged approach.\r\nThough the individual steps occur asynchronously, every command follows the same steps:\r\n1. An encrypted payload is uploaded by the attacker to the Google Drive.\r\n2. The dispatch timer on “list_request_queue” triggers.\r\nNew request file to be written to the “l” directory\r\n3. The dispatch timer on te “fileListQueue” triggers.\r\nReads the list request from the “l” directory\r\nUpdates the DriveManager state from the Google Drive session\r\nDrops a listing file to the “ls” directory\r\n4. The dispatch timer on “ls_cmd_queue” triggers.\r\nParses the listing files from the “ls” directory\r\nDrops download command files for each remote file in the “d” directory\r\nDeletes listing files from the “ls” directory\r\n5. The dispatch timer on “DriveDownloadQueue” triggers.\r\nEnumerates the files in the “d” directory\r\nQueues the download of command files to the “ds” directory\r\nQueues deletion of remote Google Drive file and local download command file after download is\r\ncomplete\r\n6. The dispatch timer on “ReadCmdQueue” triggers.\r\nReads and decrypts command files from “ds” directory\r\nHandles command execution\r\nDeletes local command file\r\nWrites encrypted “feedback” files to “u” directory\r\n7. The dispatch timer on “DriveUploadQueue” triggers.\r\nEnumerates the files in the “u” directory\r\nQueues the upload of the result files\r\nQueues the deletion of local result files once upload is completed\r\nCommands and Feedback\r\nCommands reach the system as encrypted files in the “ds” directory which, once decrypted with the implant’s\r\nstatic AES key, result in a JSON object. There are only four JSON fields read by the command parser.\r\nName Type\r\nCMDType Number\r\ncontent String\r\nparams String\r\nsavepath String\r\nhttps://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/\r\nPage 8 of 10\n\nWhile each command JSON must have a CMDType field, the fields required vary from command to command.\r\nThe table below summarizes the available commands and their required fields.\r\nEnum Description Additional Required JSON Fields\r\n0 Transmit base system information None\r\n1 Upload file to C2 params\r\n2 Download file to client content, savepath\r\n3 Execute a shell command and write output to C2 params\r\n4 Set client Google Drive timer interval params\r\n5 Set client timer interval for client info heartbeat message params\r\n6 Overwrite client work period information params\r\nFeedback to the C2 is also formatted as JSON, with fields fairly similar to the commands. However, all feedback\r\nJSON objects have one additional required field, “uuid”, which is populated with the device’s Hardware UUID.\r\nConclusion\r\nStorm Cloud is an advanced and versatile threat actor,  adapting its tool set to match different operating systems\r\nused by its targets. They make use of built-in operating system utilities, open-source tools, and custom malware\r\nimplants to achieve their objectives. Leveraging cloud platforms for C2, such as using Google Drive, increases the\r\nlikelihood of operating undetected by network monitoring solutions. This is especially true when coupled with the\r\nfact that the malware only beacons on victims’ working days.\r\nIrrespective of platform, samples of the GIMMICK malware family are fairly large and complex, which is partly\r\ndue to the complexity of their asynchronous design, such as the threading and locking mechanisms required. The\r\nwork involved in porting this malware and adapting its systems to a new operating system (macOS) is no light\r\nundertaking and suggests the threat actor behind it is well resourced, adept, and versatile. It is worth noting that\r\nVolexity has only ever observed GIMMICK (macOS and Windows) in use by Storm Cloud. However, it is\r\nunknown if this malware implant is developed or otherwise used by them exclusively.\r\nTo generally prevent similar attacks from being successful, Volexity recommends the following:\r\nRegularly audit and monitor persistence locations, such as LaunchAgents and LaunchDaemons on endpoint\r\nmacOS devices. This can be done through an EDR solution and/or with free tools such as BlockBlock and\r\nKnockKnock.\r\nMonitor network traffic for anomalous proxy activity and internal scanning.\r\nEnsure that XProtect and MRT from Apple are enabled and running on macOS systems.\r\nTo prevent these specific attacks from being successful, Volexity recommends the following:\r\nUse the rules provided to identify related activity, provided here.\r\nhttps://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/\r\nPage 9 of 10\n\nFiles related to this post are provided here.\r\nThis threat activity was detailed to Volexity Threat Intelligence customers in MAR-20220120.\r\nAppendix\r\nThe following resources describe Apple’s Grand Central Dispatch:\r\nhttps://www.amazon.com/dp/099105556X/ref=cm_sw_em_r_mt_dp_RYJ6VS3327WSY7SE551Y?\r\n_encoding=UTF8\u0026psc=1 -\u003e ISDN-13: 978-0991055562\r\nhttps://www.amazon.com/dp/0321706250/ref=cm_sw_em_r_mt_dp_7J0VBS0DW5NWAZAFT5ZF -\u003e\r\nISDN-13: 978-0321706256\r\nhttps://www.galloway.me.uk/2012/10/a-look-inside-blocks-episode-1/\r\nhttps://opensource.apple.com/source/libclosure/libclosure-67/BlockImplementation.txt.auto.html\r\nSource: https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/\r\nhttps://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/" ], "report_names": [ "storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos" ], "threat_actors": [ { "id": "33eef76c-a6fa-4855-a77e-9a1e92fe8474", "created_at": "2023-11-21T02:00:07.393519Z", "updated_at": "2026-04-10T02:00:03.477407Z", "deleted_at": null, "main_name": "Storm Cloud", "aliases": [], "source_name": "MISPGALAXY:Storm Cloud", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434268, "ts_updated_at": 1775792125, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/14fd8917a4b31953cdcb63e2a686e3fdd7d6139d.pdf", "text": "https://archive.orkl.eu/14fd8917a4b31953cdcb63e2a686e3fdd7d6139d.txt", "img": "https://archive.orkl.eu/14fd8917a4b31953cdcb63e2a686e3fdd7d6139d.jpg" } }