{ "id": "76d5b921-1998-4eb8-815c-7ca89d22c71d", "created_at": "2026-04-06T00:15:06.764227Z", "updated_at": "2026-04-10T13:11:33.797477Z", "deleted_at": null, "sha1_hash": "174795b9495b8104ee262d43fbcb142505b21789", "title": "GIMMICK Malware Attacks macOS to Attack Organizations Across Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1230978, "plain_text": "GIMMICK Malware Attacks macOS to Attack Organizations\r\nAcross Asia\r\nBy Guru Baran\r\nPublished: 2022-03-24 · Archived: 2026-04-05 18:15:38 UTC\r\nAn espionage threat actor from China known for attacking target organizations across Asia has been linked to a\r\nnew malware implant for macOS devices.\r\nAs Volexity’s Network Security Monitoring service monitored an environment late in 2021, it detected an\r\nintrusion. Cybersecurity firm Volexity believes the group responsible for the attacks is called Storm Cloud while\r\ndescribing the malware as “GIMMICK.”\r\nIn an intrusion campaign, the data was recovered from a compromised MacBook Pro running macOS 11.6 (Big\r\nSur) through memory analysis. Apart from this, several instances of the malware family have been encountered by\r\nVolexity.\r\nFor commands and controls (C2) GIMMICK uses Google Drive, a public cloud hosting service since GIMMICK\r\nis a multi-platform malware. \r\nWindows versions are written in both .NET and Delphi, while the newly identified macOS variant, GIMMICK is\r\nwritten mostly in Objective C.\r\nVolexity tracks the malware under the same name, regardless of the programming languages used and the\r\noperating systems targeted. However, this happened due to the following factors:-\r\nhttps://cybersecuritynews.com/gimmick-malware-attacks/\r\nPage 1 of 4\n\nShared C2 architecture.\r\nFile paths.\r\nBehavioral patterns used by all variants.\r\nVolexity researchers Damien Cash, Steven Adair, and Thomas Lancaster stated:-\r\n“Storm Cloud is an advanced and versatile threat actor, adapting its toolset to match different operating systems\r\nused by its targets.”\r\nIn order to integrate with Target’s network traffic, GIMMICK communicates with its Google Drive-powered C2\r\nserver only during working hours and days. While as part of Volexity’s work with Apple, all users now have\r\nprotection against GIMMICK malware. \r\nStartup \u0026 Initialization\r\nAfter the implementation of GIMMICK malware on the infected system, GIMMICK can run either as an\r\n‘application’ or as a ‘daemon’ and is designed to mimic the behavior of a program commonly used by the user-targeted.\r\nThe cybersecurity firm, Volexity has observed that in the Windows variant of GIMMICK malware there is no\r\nconcept of setting its own persistence.\r\nhttps://cybersecuritynews.com/gimmick-malware-attacks/\r\nPage 2 of 4\n\nIn order to blend in with the network traffic in the target environment, GIMMICK only communicates with its\r\nGoogle Drive C2 server on working days. A JSON object with OAuth2 credentials for accessing Google Drive is\r\nretrieved from the first decoding loop. \r\nSecond, the 32-byte string is decoded, which is then run through a third-party conversion stage. After decoding the\r\n32-byte string, two characters are converted to numeric representations at a time, and the resulting byte is written\r\nto a buffer.\r\nhttps://cybersecuritynews.com/gimmick-malware-attacks/\r\nPage 3 of 4\n\nAs a result of the final decoding, the configuration data is a 200byte binary blob that only shows a few\r\noverlapping data boundaries. \r\nIn addition, the backdoor has its own uninstall feature that allows it to remove itself from the compromised\r\nmachine, in addition to retrieving arbitrary files and executing commands from the C2 server.\r\nCustom ObjectiveC classes of GIMMICK\r\nThere are three custom Objective-C classes of GIMMICK malware, and here below we have mentioned them all:-\r\nDriveManager\r\nFileManager\r\nGCDTimerManager\r\nRecommendations\r\nTo prevent similar attacks Volexity has recommended the following mitigations:-\r\nAlways audit and monitor the persistence locations.\r\nTo keep track of anomalous proxy activity and internal scanning always monitor network traffic.\r\nOn macOS, systems make sure to enable XProtect and MRT from Apple.\r\nAlways use complex passwords.\r\nMake sure to enable a multi-factor security mechanism.\r\nYou can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.\r\nSource: https://cybersecuritynews.com/gimmick-malware-attacks/\r\nhttps://cybersecuritynews.com/gimmick-malware-attacks/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cybersecuritynews.com/gimmick-malware-attacks/" ], "report_names": [ "gimmick-malware-attacks" ], "threat_actors": [ { "id": "33eef76c-a6fa-4855-a77e-9a1e92fe8474", "created_at": "2023-11-21T02:00:07.393519Z", "updated_at": "2026-04-10T02:00:03.477407Z", "deleted_at": null, "main_name": "Storm Cloud", "aliases": [], "source_name": "MISPGALAXY:Storm Cloud", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434506, "ts_updated_at": 1775826693, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/174795b9495b8104ee262d43fbcb142505b21789.pdf", "text": "https://archive.orkl.eu/174795b9495b8104ee262d43fbcb142505b21789.txt", "img": "https://archive.orkl.eu/174795b9495b8104ee262d43fbcb142505b21789.jpg" } }