{
	"id": "ecd9da25-6747-432f-90bb-7bd6d4bafd02",
	"created_at": "2026-04-10T03:19:56.645488Z",
	"updated_at": "2026-04-10T03:22:17.619072Z",
	"deleted_at": null,
	"sha1_hash": "6c1fc11dd08c7ff8e96dfeeb8d09ca60c8cdeb80",
	"title": "How SysJoker and DazzleSpy Malware Target macOS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5754156,
	"plain_text": "How SysJoker and DazzleSpy Malware Target macOS\r\nBy Phil Stokes\r\nPublished: 2022-02-01 · Archived: 2026-04-10 02:13:24 UTC\r\nAs last year closed out, we provided a round up of the previous 12 months of Mac malware, making the observation that,\r\namong other things, 2021’s macOS malware cohort saw a focus on spyware and the targeting of users in Asia, particularly\r\nChina and Hong Kong. The first month of 2022 has seen those trends continue with two new malware campaigns discovered\r\nin January, namely SysJoker and DazzleSpy.\r\nIn this post, we give brief overviews of these two new malware families, offering both additional details not previously\r\nreported along with indicators for detection and threat hunting.\r\nSysJoker (11th Jan, 2022)\r\nThe first new Mac malware report of 2022 came courtesy of researchers at Intezer in the form of a threat they dubbed\r\nSysJoker, which comes in Windows, Linux and macOS variants. Researchers say that the Linux version was found in-the-wild infecting a server belonging to “a leading educational institution”.\r\nThe Mac-specific variant of this malware is a Universal binary named types-config.ts , compiled for both Intel x86 and\r\nApple silicon M1 arm64 architectures.\r\nUpon execution, the Mach-O installs a persistence LaunchAgent that masquerades as an Apple launch service\r\n~/Library/LaunchAgents/com.apple.update.plist .\r\nhttps://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/\r\nPage 1 of 8\n\nPersistence mechanism used by SysJoker malware on macOS\r\nThe fake service targets an executable called ~/Library/MacOsServices/updateMacOs . This file is also written by the\r\ntypes-config.ts file and is in fact a straight copy of itself. The SentinelOne agent captures the chain of execution and\r\ndisplays it in the Management console for easy pivoting and threat hunting.\r\nOSX.SysJoker backdoor execution chain as captured by the SentinelOne agent\r\nThe malware is written in C++ and much of the initial action occurs in the entry.init0 function. Using r2, we can get a\r\nquick summary of the function’s important strings.\r\nSome of the embedded strings in the SysJoker binary\r\nThe “drive.google.com” address delivers a file “domain.txt” that contains an obfuscated domain name address. The key\r\nshown above at address 0x1000139e2 is used to decode the contents of “domain.txt”, which turns out to to be the DNS\r\naddress “graphic-updater.com”.\r\nOther hardcoded strings are then concatenated with the decoded DNS address to form a full C2.\r\nhttps://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/\r\nPage 2 of 8\n\nhttps:\r\nThe C2 address is determined on-the-fly during execution\r\nWe note that SysJoker has a peculiarity that, to our knowledge, has not been described by other researchers. In our tests, if\r\nthe malware is run as root when the path\r\n/Users/root/Library/SystemNetwork\r\ndoes not exist, the malware will abort.\r\nThat’s an unusual path, as the root user on macOS typically exists under /var/root , not /Users/root .\r\nWhether this is an oversight or a peculiarity of SysJoker’s intended target is unclear. At this point, we have no explanation\r\nfor this behaviour, but merely note that if /Users/root does exist, then the malware executes as expected, and drops the\r\ncomponents under that file path hierarchy.\r\nSysJoker uses an unorthodox path for a macOS root user\r\nAccording to previous researchers who also analyzed the Windows and Linux variants, SysJoker’s primary purpose is to\r\nawait commands from the C2. We, and our sample, did indeed wait, but the C2 appeared to be uninterested in talking to\r\neither of us. Intezer has more details on the backdoor’s functionality.\r\nHow To Protect Against OSX.SysJoker\r\nThe SentinelOne Singularity platform fully detects OSX.SysJoker.\r\nhttps://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/\r\nPage 3 of 8\n\nSentinelOne detects SysJoker on execution\r\nAside from the one reported in-the-wild incident against a “leading educational institution”, it is unclear at this time how\r\nSysJoker is distributed, who it targets, or what the authors’ objectives are. However, the cross-platform nature of the\r\nmalware suggests that it may be part of a wider campaign, and it is imperative that organizations have a capable multi-engined security solution in place to defend against these kinds of attacks.\r\nDazzleSpy (25th Jan)\r\nOSX.DazzleSpy was discovered by ESET researchers following the same trail as Google’s Project Zero from a poisoned\r\nwatering hole targeting Hong Kong pro-democracy activists. Whereas Google’s investigation led them to macOS.Macma,\r\nresearchers Marc L’Etienne and Anton Cherepanov caught a quite different payload.\r\nOSX.DazzleSpy comes in the form of an unsigned, Mach-O file compiled for Intel x86 architecture, although it’s perfectly\r\npossible that undiscovered ARM versions exist as well.\r\nOn execution, the Mach-O installs a persistence LaunchAgent that masquerades as an Apple launch service at\r\n~/Library/LaunchAgents/com.apple.softwareupdate . This fake service targets an executable called “softwareupdate”\r\nwritten inside a hidden folder of the user’s home folder, ~/.local/softwareupdate .\r\nDazzleSpy LaunchAgent property list for persistence\r\nThe executable “softwareupdate” contains a mixture of public and private frameworks. On the public side, the malware\r\nauthors have adopted the tonymillion Reachability framework to determine network connections, YYModel for efficient\r\nparsing of JSON data, and GCDAsyncSocket to handle TCP/IP socket networking tasks. A date comparison method, +\r\n(int)compareOneDay:(NSDate *)oneDay withAnotherDay:(NSDate *)anotherDay , also appears to have been lifted from a\r\nChinese-language programming forum.\r\nhttps://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/\r\nPage 4 of 8\n\nDazzleSpy contains a mix of public and private frameworks and methods\r\nFor functionality, DazzleSpy contains code for searching and writing files, exfiltrating environmental info, dumping the\r\nkeychain, running a remote desktop and running shell commands, among others.\r\nA number of methods are run as shell commands via NSTask APIs\r\nDazzleSpy collects and drops a number of other files in the hidden ~/.local directory related to espionage and data\r\ncollection.\r\nSome of the hardcoded paths found in the DazzleSpy executable\r\n~/.local/softwareupdate\r\n~/.local/security/keystealDaemon\r\n~/.local/security.zip\r\n~/.local/SearchFiles\r\n~/.local/RecoveryFiles\r\n~/.local/security\r\nAlthough we only saw the first of these files dropped in our tests, analysis of the static code suggests that another hidden\r\ndirectory, .Documenty , may also be used by the malware.\r\nA path we didn’t see on execution, but potentially useful for hunting\r\nThe authors appear to have been careless (or perhaps deliberate!) in leaving artifacts from the development environment. As\r\nnoted by ESET, one user name embedded in the malware is “wangping”, but we also note two others: “wp” and “XpathX”.\r\nhttps://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/\r\nPage 5 of 8\n\nUsernames found embedded in the DazzleSpy binary\r\nOf these, “XpathX” seems to have a number of paths typical of an active user, but why these should have found their way\r\ninto the code is both mysterious and suspicious.\r\nMultiple paths for user “XpathX” are embedded in DazzleSpy\r\nThere’s no obvious mechanism that would easily result in those being embedded accidentally, and one could be forgiven for\r\nthinking that these paths were deliberately placed. We might also wonder about the authenticity of other paths such as\r\n/Users/wangping /pangu/.\r\nHow To Protect Against OSX.DazzleSpy\r\nOSX.DazzleSpy, like macOS.Macma before it, appears to be aimed at visitors to certain websites holding content about, or\r\nof interest to, Hong Kong pro-democracy activists and activism. Although that is a small demographic, the threat actors also\r\nexploited a (now-patched) local privilege escalation, CVE-2021-30869, to run the payload as root.\r\nSentinelOne’s behavioral engine detects OSX.DazzleSpy on execution. In order to prevent infections like DazzleSpy, be\r\nsure to install a good behavioral AI engine that can recognize novel threats based on what they do. Legacy AV scanners that\r\nrely on known signatures or cloud reputation services alone will not be able to stop threats that have not previously been\r\ndetected in the wild.\r\nSentinelOne detects OSX.DazzleSpy on execution\r\nAdmin users can view details including threat indicators in the Management console and pivot directly from there to Deep\r\nVisibility for extended threat hunting across the estate if required.\r\nhttps://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/\r\nPage 6 of 8\n\nThe SentinelOne behavioral AI catches the malware attempting persistence\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nConclusion\r\nThese two new Mac malware families continue trends we noted previously in macOS malware. DazzleSpy’s use of\r\nvulnerabilities is a clear warning to those that continue to insist Mac users cannot get malware if they engage in “safe\r\nbehavior”: such a stance does not match today’s threatscape.\r\nMeanwhile, SysJoker’s cross-platform backdoor functionality shows that threat actors are factoring in Mac targets along\r\nwith Windows and Linux as they develop new ways to steal data and compromise organizations. As with all your other\r\nendpoints, it is vital to keep your Mac fleet protected by a capable, defense-in-depth security solution such as the\r\nSentinelOne platform.\r\nIf you would like to learn more about how SentinelOne can protect your Mac, Windows, Linux, ChromeOS, IoT and Cloud\r\nworkload endpoints, contact us or request a free demo.\r\nIndicators of Compromise\r\nOSX.SysJoker\r\nDNS REQUESTS\r\ndrive.google.com.\r\nhttps://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/\r\nPage 7 of 8\n\ngooglehosted.l.googleusercontent.com.\r\ngraphic-updater.com.\r\nDNS RESPONSES\r\n142.250.199.14\r\n216.58.199.225\r\n216.58.203.78\r\n23.254.131.176\r\n36.4.104.0\r\nCOMMANDS EXECUTED\r\n/bin/sh\r\n/bin/bash\r\n/usr/bin/whoami\r\nFILEPATHS\r\n/Users/root/Library/SystemNetwork\r\n~/Library/MacOsServices/updateMacOs\r\nHASHES\r\nupdateMacOs\r\n554aef8bf44e7fa941e1190e41c8770e90f07254 1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac\r\ntypes-config.ts\r\n01d06375cf4042f4e36467078530c776a28cec05\r\nd0febda3a3d2d68b0374c26784198dc4309dbe4a8978e44bb7584fd832c325f0\r\nOSX.DazzleSpy\r\nFILEPATHS\r\n~/Library/LaunchAgents/com.apple.softwareupdate.plist\r\n~/.local/softwareupdate\r\n~/.local/security.zip\r\n~/.local/security/keystealDaemon\r\n.Documenty/security/libkeystealClient.dylib\r\n.Documenty/security/keys.err\r\n.Documenty/security/security-unsigned\r\n.Documenty/security/keystealDaemon\r\nC2\r\n88.218.192[.]128:5633\r\nHASHES\r\nserver.enc\r\nee0678e58868ebd6603cc2e06a134680d2012c1b\r\nf9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348\r\nSource: https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/\r\nhttps://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/"
	],
	"report_names": [
		"sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos"
	],
	"threat_actors": [],
	"ts_created_at": 1775791196,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c1fc11dd08c7ff8e96dfeeb8d09ca60c8cdeb80.pdf",
		"text": "https://archive.orkl.eu/6c1fc11dd08c7ff8e96dfeeb8d09ca60c8cdeb80.txt",
		"img": "https://archive.orkl.eu/6c1fc11dd08c7ff8e96dfeeb8d09ca60c8cdeb80.jpg"
	}
}