{
	"id": "65e35885-7125-4398-b6f9-e917dae23bdb",
	"created_at": "2026-04-06T00:22:08.510916Z",
	"updated_at": "2026-04-10T03:20:47.07396Z",
	"deleted_at": null,
	"sha1_hash": "6fa881d1a55a42c9050a236e68363eb6ff5ef9f1",
	"title": "macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5874082,
	"plain_text": "macOS Cuckoo Stealer | Ensuring Detection and Defense as New\r\nSamples Rapidly Emerge\r\nBy Phil Stokes\r\nPublished: 2024-05-09 · Archived: 2026-04-05 17:06:52 UTC\r\nInfostealers targeting macOS devices have been on the rise for well over a year now, with variants such as Atomic\r\nStealer (Amos), RealStealer (Realst), MetaStealer and others widely distributed in the wild through malicious websites,\r\ncracked applications and trojan installers. These past few weeks have seen a new macOS malware family appear that\r\nresearchers have dubbed ‘Cuckoo Stealer’, drawing attention to its abilities to act both as an infostealer and as spyware.\r\nIn this post, we review Cuckoo Stealer’s main features and logic from a detection point of view and offer extended\r\nindicators of compromise to aid threat hunters and defenders. At the time of writing the latest version of XProtect,\r\nversion 2194, does not block execution of Cuckoo Stealer malware. SentinelOne customers are protected from macOS\r\nCuckoo Stealer.\r\nMore Cuckoo Stealers Appearing\r\nSince the initial report on the emergence of this family of malware on April 30, we have seen a rise in new samples and\r\ntrojanized applications from the four originally reported by Kandji to 18 unique trojanized applications at the time of\r\nwriting, with new samples appearing daily.\r\nThe trojanized apps are various kinds of “potentially unwanted programs” offering dubious services such as PDF or\r\nmusic converters, cleaners and uninstallers (a full list appears in the IoCs at the end of this post) such as:\r\nApp Uninstaller.app\r\nDumpMedia Amazon Music Converter.app\r\nhttps://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/\r\nPage 1 of 10\n\nFoneDog Toolkit for Android on Mac.app\r\niMyMac PDF Compressor.app\r\nPowerUninstall.app\r\nTuneSolo Apple Music Converter.app\r\nAs reported previously, these applications contain a malicious binary in the MacOS folder named upd . The most recent\r\nbinaries – in ‘fat’ and ‘thin’ versions for both Intel x86 and arm64 architectures – are ad hoc codesigned and their parent\r\napplications all share the same bundle identifier, upd.upd .\r\nApple’s codesign utility will provide identical output for all these samples:\r\ncodesign -dv file\r\n…\r\nIdentifier=upd.upd\r\nFormat=Mach-O thin (x86_64)\r\nCodeDirectory v=20400 size=1536 flags=0x2(adhoc) hashes=38+7 location=embedded\r\nSignature=adhoc\r\nInfo.plist=not bound\r\nTeamIdentifier=not set\r\nSealed Resources=none\r\nInternal requirements count=0 size=12\r\nSome protection is offered to unsuspecting users by Apple’s Gatekeeper, which will by default throw a warning that the\r\napplication is not notarized. The malware authors have anticipated this and provided the user with instructions on how to\r\nrun the application.\r\nhttps://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/\r\nPage 2 of 10\n\nThe malware is written in C++ and was created in build 12B45b of Xcode, version 12.2, a rather old version that was\r\nreleased in November 2020, using a device still running macOS 11 Big Sur (build 20A2408) from the same year.\r\nThe code signature and the application’s Info.plist containing this information make current samples relatively easy\r\nto identify.\r\nSimple Obfuscation Helps Cuckoo to Hide in Apple’s Nest\r\nA noticeable characteristic of the malware is the heavy use of XOR’d strings in an attempt to hide its behavior from\r\nsimple static signature scanners. The samples use different XOR keys (see the list of IoCs at the end of this post) of\r\nvarying lengths to decrypt the main strings and functionality dynamically.\r\nThough the binary is stripped and lacks function names, the decrypt routine is readily identifiable from the large number\r\nof cross references to it in the rest of the code. Current samples call the decrypt routine precisely 223 times.\r\nCuckoo decryption function\r\nBy breaking on this function in a debugger, it is relatively straightforward to output the decrypted strings to understand\r\nthe malware’s behavior.\r\nHowever, not all obfuscated strings are processed through this function. The decryption key and routine can be found\r\nindependently in other places in the code as well.\r\nOf the few unobfuscated strings in the current binary is one that represents an array of file extensions, indicating the kind\r\nof information the malware authors are interested in stealing.\r\n{\"txt\", \"rtf\", \"doc\", \"docx\", \"xls\", \"xlsx\", \"key\", \"wallet\", \"jpg\", \"dat\", \"pdf\", \"pem\", \"asc\", \"ppk\", \"r\r\nLooking for cross references to ‘wallet’ (one of the items in the array), we find the array is consumed in a function which\r\ncalls both the decrypt function and another function that implements the same XOR routine and key.\r\nhttps://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/\r\nPage 3 of 10\n\nIn radare2, we can find all references to the XOR key via grepping the output of the ax command for the string’s\r\naddress.\r\nFinding cross references in radare2\r\nFinding cross references in radare2\r\nCuckoo Stealer Observable Behavior\r\nDespite these attempts at obfuscation, analysis of Cuckoo Stealer reveals that, unsurprisingly, it uses many of the same\r\ntechniques as other infostealers we have encountered in the last 12 months or so. In particular, it makes various uses of\r\nAppleScript to duplicate files and folders of interest and to steal the user’s admin password in plain text.\r\nhttps://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/\r\nPage 4 of 10\n\nSentinelOne detects Cuckoo Stealer\r\nThis is achieved through a simple AppleScript dialog using the “hidden answer” option, a ploy that macOS attackers\r\nhave been using since at least 2008, as we observed recently in relation to Atomic Stealer.\r\nErm #Microsoft , OK, but has #Apple security also failed?\r\nIn 2008, before #XProtect, in OS X 10.5 Leopard, PokerStealer was scraping passwords in clear text same\r\nway as Atomic Stealer, MetaStealer and others are still doing in 2024.\r\nfa91b42b68d92f57b56929cb35c12ae54e022ad2 pic.twitter.com/oe2MNHJLsf\r\n— Phil Stokes ⫍🐠⫎ (@philofishal) April 4, 2024\r\nWith Cuckoo Stealer, if the user enters anything other than a valid admin password, the malware will repeatedly display\r\nthe dialog until the right password is provided. This remains true even if the user presses the ‘Cancel’ button.\r\nThe underlying mechanism for how the password is checked was nicely elucidated by Kandji researchers here. The\r\nscraped password is then saved in clear text in a file named pw.dat in a hidden subfolder of the User’s home directory.\r\nThe hidden folder’s name is a combination of .local- and a randomly generated UUID identifier. For example:\r\n~/.local-6635DD81-94DD-59E3-9D84-20BD41C51999/\r\nThe following regexes can be used to find paths or commands containing this pattern:\r\n\\.local-[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}/\r\n// alternatively:\r\n\\.local-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/\r\nIn addition, the malware also attempts to install a persistence LaunchAgent with the label com.user.loginscript . The\r\nname of the property list file itself will take the form of the parent application bundle. For example, the trojan\r\nDumpMedia Spotify Music Converter.app will create a plist called\r\nhttps://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/\r\nPage 5 of 10\n\n~/Library/LaunchAgents/com.dumpmedia.spotifymusicconverter.plist , while iMyMac Video Converter.app will\r\nwrite the same plist out as com.immyac.videoconverter.plist .\r\nCuckoo Stealer LaunchAgent\r\nThis persistence agent will point to a copy of the upd binary located in the same hidden .local-\u003cUUID\u003e directory\r\nmentioned above.\r\nThe malware also makes use of several Living Off the Land utilities including xattr , osascript and\r\nsystem_profiler for discovery.\r\nCommand Arguments\r\nawk /Hardware UUID/{print $(NF)}\r\nlaunchctl load -w “/Users/user1/Library/LaunchAgents/com.dumpmedia.spotifymusicconverter.plist”\r\nosascript\r\n-e ‘display dialog “macOS needs to access System Settings” default answer “” with title “System\r\nPreferences” with icon caution with hidden answer’\r\nsystem_profiler SPHardwareDataType \\| awk ‘/Hardware UUID/{print $(NF)}’\r\nxattr\r\n-d com.apple.quarantine “/Users/user1/.local-6635DD81-94DD-59E3-9D84-\r\n20BD41C51999/DumpMediaSpotifyMusicConverter”\r\nhttps://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/\r\nPage 6 of 10\n\nCuckoo Stealer execution chain\r\nSentinelOne Protects Against Cuckoo Stealer\r\nSentinelOne Singularity detects Cuckoo Stealer and prevents its execution when the policy is set to Protect/Protect. In\r\nDetect mode, the agent will allow analysts to observe and investigate malicious behavior, as shown below.\r\nAgent version 23.4.1.7125 and later offer an extensive set of behavioral indicators including reference to MITRE TTPs\r\nspecific to macOS infostealers.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nhttps://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/\r\nPage 7 of 10\n\nConclusion\r\nThe actors behind the Cuckoo Stealer campaign have clearly invested some resources into developing a novel infostealer\r\nrather than buying any of the ready-made offerings currently circulating in various Telegram channels and darknet\r\nforums. This, along with the rising numbers of samples we have observed since initial reporting of this threat, suggests\r\nthat we will likely see further variants of this malware in the future.\r\nEnterprises are advised to use a third party security solution such as SentinelOne Singularity to ensure that devices are\r\nprotected against this and other threats targeting macOS devices in the fleet.\r\nTo learn more about how SentinelOne can help protect your organization, contact us or request a free demo.\r\nIndicators of Compromise\r\nBundle Identifier\r\nupd.upd\r\nObserved Application Names\r\nApp Uninstaller.app\r\nDumpMedia Amazon Music Converter.app\r\nDumpMedia DeezPlus.app\r\nDumpMedia Pandora Music Converter.app\r\nDumpMedia Spotify Music Converter.app\r\nDumpMedia Video Converter.app\r\nDumpMedia YouTube Music Converter.app\r\nFoneDog Data Recovery.app\r\nFoneDog iPhone Cleaner.app\r\nFoneDog PDF Compressor.app\r\nFoneDog Toolkit for Android on Mac.app\r\nFoneDog Toolkit for iOS on Mac.app\r\nFoneDog Video Converter.app\r\niMyMac PDF Compressor.app\r\niMyMac Video Converter.app\r\nPowerUninstall.app\r\nTunesFun Apple Music Converter.app\r\nTuneSolo Apple Music Converter.app\r\nObserved Mach-Os (SHA1)\r\n04a572b2a17412bba6c875a43289aac521f7b98d\r\n0e3e58a2b19072823df2ec52f09e51acf0d0d724\r\n127c486eab9398a2f42208d96aa12dd8fcfb68b5\r\n1ef1f94d39931b6e625167b021a718f3cfe6bb80\r\n1f49bb334ebcec6b2493d157caf90a8146fb68d9\r\n219f57e9afe201ad4088340cd5b191223d4c4227\r\n24c311abe5d93d21172a6928ba3a211528aa04f9\r\n266f48c38efbb5a6d49fb74194c74fe68d02d62a\r\nhttps://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/\r\nPage 8 of 10\n\n298c9ab225d7262a2106bc7bec0993eaa1210a0d\r\n2a422057790bae755c3225aff3e47977df234b11\r\n2c7ec5358b69f8e36c35c53501e4ba6efce25689\r\n2cdda89c50c2aa1eb4b828350b7086748c58fe08\r\n35d75565de813e89a765718ed31c1bfebfd3c11c\r\n4cf895c391557498d2586cee3ace3c32a3a83a4e\r\n4cfdf872051900df8a959b95a03f6c906ad4596e\r\n50360b325aad398a5d580a2adc9aef597eb98855\r\n5220a53c1930ea93849caa88850cb6628a06cd90\r\n57a1f3d3cbbc33b92177660ee620bff4f1c5b229\r\n63eb1abe69b11c8ae04092ccf822633d1e1ff648\r\n69c6c1f09f8a1ad61f1c48527ff27e56847a716f\r\n6aba0ebabccea1902ba2ab7ac183a4bd22617555\r\n71fddbccb15904b14b5773e689f611bfd5a0d111\r\n82c70c956f5f66cf642991285fd631a9094abbf4\r\n873fd2fc21457e707832c859534d596a7c803a46\r\n8bab36fe676c8296ef3889d5ef0afcc4b3f017f3\r\n8bc02ae4262eaf2cbb2454709db7f95cebcc9432\r\n8bee44d0e4e22d3a85cfb9d00d00cb7d85433c9d\r\n8c10459be56dde03c75cda993a489373a8251abf\r\n9ac058d4541aa0e7ba222d25c55c407451f318a7\r\n9d4b45104b3eb3734cb0ba45ca365b95a4c88505\r\n9efa91a0cba44334b1071344314853699155814f\r\nac755f6da9877a4fc161d666f866a1d82e6de1b0\r\nac948abaa90b4f1498e699706407ac0c6d4164c7\r\nb49a69fa41a2d7f5f81dbc2be9ea7cfc45c1f3df\r\nb4bd11aa174d1a2f75aff276a2f9c50c4b6a4a1d\r\nb4da5459ccd0556357f8ccd3471a63eebfa6e3b7\r\nb65880c2aecc15db8afa80f027ed0650be23e8f9\r\nbd5cdf05db06c3a81b0509e9f85c26feb34cea81\r\nc5c8335ed343d14d2150a9ba90e182ca739bde8a\r\nc8a6e4a3b16adf5be7c37b589d36cb2bd9706a92\r\nc98d92e01423800404c77f6f82d62e5e7516d46d\r\ncd04a6df24ab7852267619d388dee17f20c66deb\r\ncf069bcafb6510282c8aeab7282e19abc46d558f\r\ndb180e1664e566a3393d884a52b93b35bb33911e\r\ndb19034d60973d0bcaa237c24252fe969803bc7c\r\ndfed0ca9d883a45a40b2c23c29557ac4679ef698\r\ne57b537f5f3307c6c59f5477e6320f17a9ba5046\r\ne68f0f0e6102a1cd78d5d32ec7807b2060d08f79\r\ne6fa7fcbaf339df464279b8090f6908fed7b325a\r\ne9180ee202c42e2b94689c7e3fb2532dd5179fad\r\necca309e0b43cd7f4517a863b95abf7b89be4584\r\nf4999331606b753daaf6d6ad84917712f1420c85\r\nhttps://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/\r\nPage 9 of 10\n\nf6e9081e36ca28bf619aebb40a67c56a2de2806e\r\nfad49cac81011214d7fe3db7fc0bd663ef7bb353\r\nObserved XOR Keys\r\n0dhIscuDmR6xn3VMAG9ZYjBKC4VDeXGbyDyWjHM\r\n4E72G6aXPne5ejcUgAfae6khJB3c871V0QUmkI\r\n6neCM1yILp7V3BbMpgfgYYE6KY\r\n7ricF8bWO0eBNiKEravcj2iIXohSNt\r\n7Y9lGDAyEf9vxEmFgRqpDwYM52NFPbsUc\r\nGXMSjRLvCPrrFnc1xa3xvYd43DfM8\r\nHhvDDxmmfm7QuLH4rP63Fzn2eyW5BzuM3N\r\nHnyl2YPkOMLTNOndVtQwON\r\nJB3k62Vtqymx09aJtnF9lZrCeIc\r\nJsGqCdROAT1VDpSnxrAyZY45uQvRFP\r\nLydNPzURb22Lxk4fxPkdd\r\nMTGpOAycVm9btlQyEa5xVQPiz\r\nQmi5gstd6Oc27AJLXJQtEqGMxXzHUx\r\nQssogTgvuTaZzPYZQynw0d\r\naZeTZw0X2lXM083cgmJQvnmCn9kmt\r\ncoOwAdmPtzt5Ps9rvUGOMEeFYajX2nJaismV\r\nrzdbcSkVHXHefChUJQFGjAm12oinXwlyH2sHfiY\r\nvLiOnPSKZ1bqjlp1dwuDvmmeQ3QN\r\nSource: https://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/\r\nhttps://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/"
	],
	"report_names": [
		"macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge"
	],
	"threat_actors": [],
	"ts_created_at": 1775434928,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6fa881d1a55a42c9050a236e68363eb6ff5ef9f1.pdf",
		"text": "https://archive.orkl.eu/6fa881d1a55a42c9050a236e68363eb6ff5ef9f1.txt",
		"img": "https://archive.orkl.eu/6fa881d1a55a42c9050a236e68363eb6ff5ef9f1.jpg"
	}
}