{ "id": "c806fa7f-7602-4bf8-bcc3-562319822065", "created_at": "2026-04-06T00:12:43.898646Z", "updated_at": "2026-04-10T03:32:26.682173Z", "deleted_at": null, "sha1_hash": "46281418673db65e56d79a247aea2b1a414ef166", "title": "I see what you did there: A look at the CloudMensis macOS spyware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3042940, "plain_text": "I see what you did there: A look at the CloudMensis macOS spyware\r\nBy Marc-Etienne M.Léveillé\r\nArchived: 2026-04-05 22:29:48 UTC\r\nIn April 2022, ESET researchers discovered a previously unknown macOS backdoor that spies on users of the\r\ncompromised Mac and exclusively uses public cloud storage services to communicate back and forth with its\r\noperators. Following analysis, we named it CloudMensis. Its capabilities clearly show that the intent of its operators\r\nis to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures.\r\nApple has recently acknowledged the presence of spyware targeting users of its products and is previewing\r\nLockdown Mode on iOS, iPadOS and macOS, which disables features frequently exploited to gain code execution\r\nand deploy malware. Although not the most advanced malware, CloudMensis may be one of the reasons some users\r\nwould want to enable this additional defense. Disabling entry points, at the expense of a less fluid user experience,\r\nsounds like a reasonable way to reduce the attack surface.\r\nThis blogpost describes the different components of CloudMensis and their inner workings.\r\nCloudMensis overview\r\nCloudMensis is malware for macOS developed in Objective-C. Samples we analyzed are compiled for both Intel and\r\nApple silicon architectures. We still do not know how victims are initially compromised by this threat. However, we\r\nunderstand that when code execution and administrative privileges are gained, what follows is a two-stage process\r\n(see Figure 1), where the first stage downloads and executes the more featureful second stage. Interestingly, this\r\nfirst-stage malware retrieves its next stage from a cloud storage provider. It doesn’t use a publicly accessible link; it\r\nincludes an access token to download the MyExecute file from the drive. In the sample we analyzed, pCloud was\r\nused to store and deliver the second stage.\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 1 of 15\n\nFigure 1. Outline of how CloudMensis uses cloud storage services\r\nArtifacts left in both components suggest they are called execute and Client by their authors, the former being the\r\ndownloader and the latter the spy agent. Those names are found both in the objects’ absolute paths and ad hoc\r\nsignatures.\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 2 of 15\n\nFigure 2. Partial strings and code signature from the downloader component, execute\r\nFigure 3. Partial strings and code signature from the spy agent component, Client\r\nFigures 2 and 3 also show what appear to be internal names of the components of this malware: the project seems to\r\nbe called BaD and interestingly resides in a subdirectory named LeonWork. Further, v29 suggests this sample is\r\nversion 29, or perhaps 2.9. This version number is also found in the configuration filename.\r\nThe downloader component\r\nThe first-stage malware downloads and installs the second-stage malware as a system-wide daemon. As seen in\r\nFigure 4, two files are written to disk:\r\n1. /Library/WebServer/share/httpd/manual/WindowServer: the second-stage Mach-O executable, obtained from\r\nthe pCloud drive\r\n2. /Library/LaunchDaemons/.com.apple.WindowServer.plist: a property list file to make the malware persist as\r\na system-wide daemon\r\nAt this stage, the attackers must already have administrative privileges because both directories can only be modified\r\nby the root user.\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 3 of 15\n\nFigure 4. CloudMensis downloader installing the second stage\r\nCleaning up after usage of a Safari exploit\r\nThe first-stage component includes an interesting method called removeRegistration that seems to be present to\r\nclean up after a successful Safari sandbox escape exploit. A first glance at this method is a bit puzzling considering\r\nthat the things it does seem unrelated: it deletes a file called root from the EFI system partition (Figure 5), sends an\r\nXPC message to speechsynthesisd (Figure 6), and deletes files from the Safari cache directory. We initially thought\r\nthe purpose of removeRegistration was to uninstall previous versions of CloudMensis, but further research showed\r\nthat these files are used to launch sandbox and privilege escalation exploits from Safari while abusing four\r\nvulnerabilities. These vulnerabilities were discovered and well documented by Niklas Baumstark and Samuel Groß\r\nin 2017. All four were patched by Apple the same year, so this distribution technique is probably not used to install\r\nCloudMensis anymore. This could explain why this code is no longer called. It also suggests that CloudMensis may\r\nhave been around for many years.\r\nFigure 5. Decompiled code showing CloudMensis mounting the EFI partition\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 4 of 15\n\nFigure 6. Sending an XPC message to speechsynthesisd\r\nThe spy agent component\r\nThe second stage of CloudMensis is a much larger component, packed with a number of features to collect\r\ninformation from the compromised Mac. The intention of the attackers here is clearly to exfiltrate documents,\r\nscreenshots, email attachments, and other sensitive data.\r\nCloudMensis uses cloud storage both for receiving commands from its operators and for exfiltrating files. It supports\r\nthree different providers: pCloud, Yandex Disk, and Dropbox. The configuration included in the analyzed sample\r\ncontains authentication tokens for pCloud and Yandex Disk.\r\nConfiguration\r\nOne of the first things the CloudMensis spy agent does is load its configuration. This is a binary structure that is\r\n14,972 bytes long. It is stored on disk at ~/Library/Preferences/com.apple.iTunesInfo29.plist, encrypted using a\r\nsimple XOR with a generated key (see the Custom encryption section).\r\nIf this file does not already exist, the configuration is populated with default values hardcoded in the malware\r\nsample. Additionally, it also tries to import values from what seem to be previous versions of the CloudMensis\r\nconfiguration at:\r\n~/Library/Preferences/com.apple.iTunesInfo28.plist\r\n~/Library/Preferences/com.apple.iTunesInfo.plist\r\nThe configuration contains the following:\r\nWhich cloud storage providers to use and authentication tokens\r\nA randomly generated bot identifier\r\nInformation about the Mac\r\nPaths to various directories used by CloudMensis\r\nFile extensions that are of interest to the operators\r\nThe default list of file extensions found in the analyzed sample, pictured in Figure 7, shows that operators are\r\ninterested in documents, spreadsheets, audio recordings, pictures, and email messages from the victims’ Macs. The\r\nmost uncommon format is perhaps audio recordings using the Adaptive Multi-Rate codec (using the .amr and .3ga\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 5 of 15\n\nextensions), which is specifically designed for speech compression. Other interesting file extensions in this list are\r\n.hwp and .hwpx files, which are documents for Hangul Office (now Hancom Office), a popular word processor\r\namong Korean speakers.\r\nFigure 7. File extensions found in the default configuration of CloudMensis\r\nCustom encryption\r\nCloudMensis implements its own encryption function that its authors call FlowEncrypt. Figure 8 shows the\r\ndisassembled function. It takes a single byte as a seed and generates the rest of the key by performing a series of\r\noperations on the most recently generated byte.  The input is XORed with this keystream. Ultimately the current\r\nbyte’s value will be the same as one of its previous values, so the keystream will loop. This means that even though\r\nthe cipher seems complex, it can be simplified to an XOR with a static key (except for the first few bytes of the\r\nkeystream, before it starts looping).\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 6 of 15\n\nFigure 8. Disassembled FlowEncrypt method\r\nBypassing TCC\r\nSince the release of macOS Mojave (10.14) in 2018, access to some sensitive inputs, such as screen captures,\r\ncameras, microphones and keyboard events, are protected by a system called TCC, which stands for Transparency,\r\nConsent, and Control. When an application tries to access certain functions, macOS prompts the user whether the\r\nrequest from the application is legitimate, who can grant or refuse access. Ultimately, TCC rules are saved into a\r\ndatabase on the Mac. This database is protected by System Integrity Protection (SIP) to ensure that only the TCC\r\ndaemon can make any changes.\r\nCloudMensis uses two techniques to bypass TCC (thus avoiding prompting the user), thereby gaining access to the\r\nscreen, being able to scan removable storage for documents of interest, and being able to log keyboard events. If SIP\r\nis disabled, the TCC database (TCC.db) is no longer protected against tampering. Thus, in this case CloudMensis\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 7 of 15\n\nadd entries to grant itself permissions before using sensitive inputs. If SIP is enabled but the Mac is running any\r\nversion of macOS Catalina earlier than 10.15.6, CloudMensis will exploit a vulnerability to make the TCC daemon\r\n(tccd) load a database CloudMensis can write to. This vulnerability is known as CVE-2020–9934 and was reported\r\nand described by Matt Shockley in 2020.\r\nThe exploit first creates a new database under ~/Library/Application\r\nSupport/com.apple.spotlight/Library/Application Support/com.apple.TCC/ unless it was already created, as shown in\r\nFigure 9.\r\nFigure 9. Checking it the illegitimate TCC database file already exists\r\nThen, it sets the HOME environment variable to ~/Library/Application Support/com.apple.spotlight using launchctl\r\nsetenv, so that the TCC daemon loads the alternate database instead of the legitimate one. Figure 10 shows how it is\r\ndone using NSTask.\r\nFigure 10. Mangling the HOME environment variable used by launchd with launchctl and restarting tccd\r\nCommunication with the C\u0026C server\r\nTo communicate back and forth with its operators, the CloudMensis configuration contains authentication tokens to\r\nmultiple cloud service providers. Each entry in the configuration is used for a different purpose. All of them can use\r\nany provider supported by CloudMensis. In the analyzed sample, Dropbox, pCloud, and Yandex Disk are supported.\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 8 of 15\n\nThe first store, called CloudCmd by the malware authors according to the global variable name, is used to hold\r\ncommands transmitted to bots and their results. Another, which they call CloudData, is used to exfiltrate information\r\nfrom the compromised Mac. A third one, which they call CloudShell, is used for storing shell command output.\r\nHowever, this last one uses the same settings as CloudCmd.\r\nBefore it tries fetching remote files, CloudMensis first uploads an RSA-encrypted report about the compromised\r\nMac to /January/ on CloudCmd. This report includes shared secrets such as a bot identifier and a password to\r\ndecrypt to-be-exfiltrated data.\r\nThen, to receive commands, CloudMensis fetches files under the following directory in the CloudCmd storage:\r\n/Febrary/\u003cbot_id\u003e/May/. Each file is downloaded, decrypted, and dispatched to the AnalizeCMDFileName method.\r\nNotice how both February and Analyze are spelled incorrectly by the malware authors.\r\nThe CloudData storage is used to upload larger files requested by the operators. Before the upload, most files are\r\nadded to a password-protected ZIP archive. Generated when CloudMensis is first launched, the password is kept in\r\nthe configuration, and transferred to the operators in the initial report.\r\nCommands\r\nThere are 39 commands implemented in the analyzed CloudMensis sample. They are identified by a number\r\nbetween 49 and 93 inclusive, excluding 57, 78, 87, and 90 to 92. Some commands require additional arguments.\r\nCommands allow the operators to perform actions such as:\r\nChange values in the CloudMensis configuration: cloud storage providers and authentication tokens, file\r\nextensions deemed interesting, polling frequency of cloud storage, etc.\r\nList running processes\r\nStart a screen capture\r\nList email messages and attachments\r\nList files from removable storage\r\nRun shell commands and upload output to cloud storage\r\nDownload and execute arbitrary files\r\nFigure 11 shows command with identifier 84, which lists all jobs loaded by launchd and uploads the results now or\r\nlater, depending on the value of its argument.\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 9 of 15\n\nFigure 11. Command 84 runs launchctl list to get launchd jobs\r\nFigure 12 shows a more complex example. Command with identifier 60 is used to launch a screen capture. If the\r\nfirst argument is 1, the second argument is a URL to a file that will be downloaded, stored, and executed by\r\nstartScreenCapture. This external executable file will be saved as windowserver in the Library folder of FaceTime’s\r\nsandbox container. If the first argument is zero, it will launch the existing file previously dropped. We could not find\r\nsamples of this screen capture agent.\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 10 of 15\n\nFigure 12. Command 60: Start a screen capture\r\nIt’s interesting to note that property list files to make launchd start new processes, such as\r\ncom.apple.windowServer.plist, are not persistent: they are deleted from disk after they are loaded by launchd.\r\nMetadata from the cloud storages used by CloudMensis reveals interesting details about the operation. Figure 13\r\nshows the tree view of the storage used by CloudMensis to send the initial report and to transmit commands to the\r\nbots as of April 22nd, 2022.\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 11 of 15\n\nFigure 13. Tree view of the directory listing from the CloudCmd storage\r\nThis metadata gave partial insight into the operation and helped draw a timeline. First, the pCloud accounts were\r\ncreated on January 19th, 2022. The directory listing from April 22nd  shows that 51 unique bot identifiers created\r\nsubdirectories in the cloud storage to receive commands. Because these directories are created when the malware is\r\nfirst launched, we can use their creation date to determine the date of the initial compromise, as seen in Figure 14.\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 12 of 15\n\nFigure 14. Subdirectory creation dates under /Febrary (sic)\r\nThis chart shows a spike of compromises in early March 2022, with the first being on February 4th. The last spike\r\nmay be explained by sandboxes running CloudMensis, once it was uploaded to VirusTotal.\r\nConclusion\r\nCloudMensis is a threat to Mac users, but its very limited distribution suggests that it is used as part of a targeted\r\noperation. From what we have seen, operators of this malware family deploy CloudMensis to specific targets that are\r\nof interest to them. Usage of vulnerabilities to work around macOS mitigations shows that the malware operators are\r\nactively trying to maximize the success of their spying operations. At the same time, no undisclosed vulnerabilities\r\n(zero-days) were found to be used by this group during our research. Thus, running an up-to-date Mac is\r\nrecommended to avoid, at least, the mitigation bypasses.\r\nWe still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the\r\ncode and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so\r\nadvanced. Nonetheless a lot of resources were put into making CloudMensis a powerful spying tool and a menace to\r\npotential targets.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Description\r\nESET detection\r\nname\r\nD7BF702F56CA53140F4F03B590E9AFCBC83809DB mdworker3\r\nDownloader\r\n(execute)\r\nOSX/CloudMensis.A\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 13 of 15\n\nSHA-1 Filename Description\r\nESET detection\r\nname\r\n0AA94D8DF1840D734F25426926E529588502BC08\r\nWindowServer,\r\nmyexe\r\nSpy agent\r\n(Client)\r\nOSX/CloudMensis.A\r\nC3E48C2A2D43C752121E55B909FC705FE4FDAEF6\r\nWindowServer,\r\nMyExecute\r\nSpy agent\r\n(Client)\r\nOSX/CloudMensis.A\r\nPublic key\r\n-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsGRYSEVvwmfBFNBjOz+Q\r\npax5rzWf/LT/yFUQA1zrA1njjyIHrzphgc9tgGHs/7tsWp8e5dLkAYsVGhWAPsjy\r\n1gx0drbdMjlTbBYTyEg5Pgy/5MsENDdnsCRWr23ZaOELvHHVV8CMC8Fu4Wbaz80L\r\nGhg8isVPEHC8H/yGtjHPYFVe6lwVr/MXoKcpx13S1K8nmDQNAhMpT1aLaG/6Qijh\r\nW4P/RFQq+Fdia3fFehPg5DtYD90rS3sdFKmj9N6MO0/WAVdZzGuEXD53LHz9eZwR\r\n9Y8786nVDrlma5YCKpqUZ5c46wW3gYWi3sY+VS3b2FdAKCJhTfCy82AUGqPSVfLa\r\nmQIDAQAB\r\n-----END PUBLIC KEY-----\r\nPaths used\r\n/Library/WebServer/share/httpd/manual/WindowServer\r\n/Library/LaunchDaemons/.com.apple.WindowServer.plist\r\n~/Library/Containers/com.apple.FaceTime/Data/Library/windowserver\r\n~/Library/Containers/com.apple.Notes/Data/Library/.CFUserTextDecoding\r\n~/Library/Containers/com.apple.languageassetd/loginwindow\r\n~/Library/Application Support/com.apple.spotlight/Resources_V3/.CrashRep\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 11 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nPersistence T1543.004\r\nCreate or Modify System\r\nProcess: Launch Daemon\r\nThe CloudMensis downloader installs the\r\nsecond stage as a system-wide daemon.\r\nDefense\r\nEvasion\r\nT1553 Subvert Trust Controls CloudMensis tries to bypass TCC if possible.\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 14 of 15\n\nTactic ID Name Description\r\nCollection\r\nT1560.002\r\nArchive Collected Data:\r\nArchive via Library\r\nArchive Collected Data: Archive via Library\r\nCloudMensis uses SSZipArchive to create a\r\npassword-protected ZIP archive of data to\r\nexfiltrate.\r\nT1056.001 Input Capture: Keylogging\r\nCloudMensis can capture and exfiltrate\r\nkeystrokes.\r\nT1113 Screen Capture\r\nCloudMensis can take screen captures and\r\nexfiltrate them.\r\nT1005 Data from Local System\r\nCloudMensis looks for files with specific\r\nextensions.\r\nT1025\r\nData from Removable\r\nMedia\r\nCloudMensis can search removable media for\r\ninteresting files upon their connection.\r\nT1114.001\r\nEmail Collection: Local\r\nEmail Collection\r\nCloudMensis searches for interesting email\r\nmessages and attachments from Mail.\r\nCommand\r\nand Control\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric Cryptography\r\nThe CloudMensis initial report is encrypted with\r\na public RSA-2048 key.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nCloudMensis encrypts exfiltrated files using\r\npassword-protected ZIP archives.\r\nT1102.002\r\nWeb Service: Bidirectional\r\nCommunication\r\nCloudMensis uses Dropbox, pCloud, or Yandex\r\nDrive for C\u0026C communication.\r\nExfiltration T1567.002\r\nExfiltration Over Web\r\nService: Exfiltration to\r\nCloud Storage\r\nCloudMensis exfiltrates files to Dropbox,\r\npCloud, or Yandex Drive.\r\nSource: https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nhttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/" ], "report_names": [ "i-see-what-you-did-there-look-cloudmensis-macos-spyware" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434363, "ts_updated_at": 1775791946, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/46281418673db65e56d79a247aea2b1a414ef166.pdf", "text": "https://archive.orkl.eu/46281418673db65e56d79a247aea2b1a414ef166.txt", "img": "https://archive.orkl.eu/46281418673db65e56d79a247aea2b1a414ef166.jpg" } }