{ "id": "257839f3-e468-4fff-a940-bf5b59257e19", "created_at": "2026-04-06T00:15:32.943293Z", "updated_at": "2026-04-10T03:36:47.815192Z", "deleted_at": null, "sha1_hash": "83854da7bd544d1f6ad6cd87fb56fc328326d4c1", "title": "GitHub - kai5263499/Bella: A pure python, post-exploitation, data mining tool and remote administration tool for macOS. ????????????", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 145832, "plain_text": "GitHub - kai5263499/Bella: A pure python, post-exploitation, data\r\nmining tool and remote administration tool for macOS. 🍎💻\r\nBy Noah Orlando\r\nArchived: 2026-04-05 20:26:54 UTC\r\n#Bella Bella is a pure python post-exploitation data mining tool \u0026 remote administration tool for macOS. 🍎💻\r\n##What is it? Bella is a robust, pure python , post-exploitation and remote administration tool for macOS.\r\nBella a.k.a. the server is an SSL/TLS encrypted reverse shell that can be dropped on any system running\r\nmacOS \u003e= 10.6. Bella offers the following features:\r\n1. Pseudo-TTY that emulates an SSH instance [CTRL-C support for most functions, streaming output, full\r\nsupport for inline bash scripting, tab completion, command history, blocking command handling, etc].\r\n2. Auto installer! Just execute the binary, and Bella takes care of the rest - a persistent reverse shell in a\r\nhidden location on the hard drive, undetectable by anti-viruses.\r\n3. Upload / Download any file[s]\r\n4. Reverse VNC Connection.\r\n5. Stream and save the computer's microphone input.\r\n6. Login / keychain password phishing through system prompt.\r\n7. Apple ID password phishing through iTunes prompt.\r\n8. iCloud Token Extraction.\r\n9. Accessing all iCloud services of the user through extracted tokens or passwords.\r\nThis includes: iCloud Contacts, Find my iPhone, Find my Friends, iOS Backups.\r\n10. Google Chrome Password Extraction.\r\n11. Chrome and Safari History Extraction.\r\n12. Auto Keychain decryption upon discovery of kc password.\r\n13. macOS Chat History.\r\n14. iTunes iOS Backup enumeration.\r\n15. Extensive logging of all Bella activity and downloaded files.\r\nhttps://github.com/kai5263499/Bella\r\nPage 1 of 5\n\n16. VERY comprehensive data storage. All information that Bella discovers [tokens, passwords, etc] is\r\nstored in an encrypted SQL database on the computer running Bella. This information is used for faster\r\nfunction execution, and a \"smarter\" reverse shell.\r\n17. Complete remote removal of Bella\r\n18. An interactive shell for commands such as nano, ftp, telnet, etc.\r\n19. A lot of other great features! Mess around with it to see it in action.\r\nThese are some of the features available when we are in the userland. This shell is accessible at any time when the\r\nuser has an internet connection, which occurs when they are logged in and the computer is not asleep.\r\nIf we get root , Bella's capabilities greatly expand.\r\nSimilar to the getsystem function on a meterpreter shell, Bella has a get_root function that will attempt to\r\ngain root access through a variety of means, including through a phished user password and/or local privilege\r\nescalation exploits if the system is vulnerable.\r\nUpon gaining root access, Bella will migrate over to a hidden directory in /Library, and will load itself as a\r\nLaunchDaemon. This now provides remote access to the Bella instance at all times, as long as the computer has a\r\nnetwork connection. Once we get root, we can do the following:\r\n1. MULTI-USER SUPPORT! Bella will keep track of all information from any active users on the computer in a\r\ncomprehensive database, and will automatically switch to the active computer user. All of the\r\naforementioned data extraction techniques are now available for every user on the machine.\r\n2. Decrypt ALL TLS/SSL traffic and redirect it through the control center! [a nice, active, MITM\r\nattack]\r\n3. Disable/Enable the Keyboard and/or Mouse.\r\n4. Load an Insomnia KEXT to keep a connection open if the user closes their laptop.\r\n5. Automatic dumping of iCloud Tokens and Chrome passwords [leverages keychaindump and\r\nchainbreaker if SIP is disabled]\r\n6. A lot of behind the scenes automation.\r\n##HOW TO USE\r\nBella's power lies in its high level of automation of most of the painstaking tasks that one faces in a post-exploitation scenario. It is incredibly easy to setup and use, requires no pre-configuration on the target, and very\r\nlittle configuration on the Control Center. It leverages the incredible behind the scenes power of macOS and\r\nPython for a fluid post-exploitation experience.\r\n1. Download / clone this repository onto a macOS or Linux system.\r\nhttps://github.com/kai5263499/Bella\r\nPage 2 of 5\n\n2. Run ./BUILDER and enter the appropriate information. It should look something like this:\r\n3. That's it! Bella is all ready to go. Just upload and execute Bella on your macOS target.\r\n4. Now run Control Center.py on your macOS or Linux control center. It requires no-dependencies [except\r\nfor mitmproxy if you want to MITM]. It will do some auto-configuration, and you will see something like\r\nthis after a few seconds. ![](Screenshots/Found Clients.png) The Control Center will constantly update this\r\nselection, for up to 128 separate computers.\r\n5. Press Ctrl-C to choose from the selection, and then type in the number of the computer that you want.\r\nYou will then be presented with a screen like this. ![](Screenshots/Command entry.png)\r\n6. Start running commands! bella_info is a great one. Run manual to get a full manual of all of the\r\ncommands. Also, you can hit tab twice to see a list of available commands. ![](Screenshots/Bella Info.png)\r\nVERY IMPORTANT DISCLAIMER: USE BELLA RESPONSIBLY. BY USING BELLA YOU AGREE TO\r\nTHE MIT LICENSE CONTAINED IN THIS REPOSITORY. READ THE LICENSE BEFORE USING\r\nBELLA.\r\nLittle note: Bella works across the internet, if you do some configuration. Configure your firewall to forward\r\nBella's port to your Control Center. Other important ports to forward: 1) VNC - 5500. 2) Microphone - 2897. 3)\r\nMITM - 8081. 4.) Interactive Shell - 3818\r\nAlso, VNC relies on the RealVNC application for macOS, as it is one of the few clients that supports a reverse\r\nVNC connection. It is free to download and use.\r\nVNC and Microphone streaming are not yet supported for Linux control centers.\r\n##Other Information This project is being actively maintained. Please submit any and all bug reports, questions,\r\nfeature requests, or related information.\r\nBella leverages keychaindump, VNC, microphone streaming, etc, by sending base64 encoded C binaries over to\r\nthe Bella server / target. I have included pre-compiled and encoded files in the Payloads/payloads.txt file. If you\r\nwish to compile your own version of these payloads, here is what to do after you compile them:\r\n1. Encode them in base64 and put them in the payloads.txt in the following order, each one separated by a\r\nnew line.\r\n2. vnc, keychaindump, microphone, rootshell, insomnia, lock_icon, chainbreaker.\r\nhttps://github.com/kai5263499/Bella\r\nPage 3 of 5\n\npayload_generator in the Payloads directory should help with this.\r\nPlease let me know if you have any issues.\r\n###HUGE thanks https://github.com/juuso/keychaindump\r\nhttps://github.com/n0fate/chainbreaker\r\nhttps://github.com/richardkiss/speakerpipe-osx\r\nhttps://github.com/semaja2/InsomniaX\r\nhttps://github.com/stweil/OSXvnc\r\nhttps://bugs.chromium.org/p/project-zero/issues/detail?id=676\u0026redir=1\r\n###TODO\r\n1. Reverse SOCKS proxy to tunnel our traffic through the server.\r\n2. Firefox password decryption / extraction\r\n3. Keystroke logging with legible output [80% done]\r\n4. VNC and Microphone functionality for a Linux Control Center\r\n####Some design points\r\n1. As previously stated, Bella is a pseudo-TTY. By this, the base socket and remote code execution handling\r\nof Bella is a fairly abstracted version of a very simple request-response socket. Bella receives a command\r\nfrom the server. If the command matches a pre-programmed function (i.e chrome history dump), then it\r\nwill perform that function, and send the response back to the client. The client will then handle the\r\nresponse in the same way. After processing the response, it will prompt the client for another command to\r\nsend.\r\n2. Issues with a low-level socket are numerous, and not limited to: 3. Program execution that blocks and\r\nhangs the pipe, waiting for output that never comes (sudo, nano, ftp) 4. Not knowing how much data to\r\nexpect in the socket.recv() call. 5. Not being able to send ctrl-C, ctrl-Z and similar commands. 6. No\r\ncommand history 7. A program that crashes can kill a shell. 8. One-to-one response and request.\r\n3. Bella address the above by: 4. recv() and send() functions that serialize the length of the message, and loop\r\nthrough response/requests accordingly. 5. Readline integration to give a more 'tty' like feel, including ctrl-C\r\nsupport, command history, and tab completion. 6. Detecting programs that block, and killing them. 7.\r\nAllowing multiple messages to be sent at once without the client prompting for more input (great for\r\ncommands like ping, tree, and other commands with live updates).\r\nFor full information on the pre-programmed functions, run the manual command when connected to the server.\r\n--\r\nhttps://github.com/kai5263499/Bella\r\nPage 4 of 5\n\nSource: https://github.com/kai5263499/Bella\r\nhttps://github.com/kai5263499/Bella\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/kai5263499/Bella" ], "report_names": [ "Bella" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434532, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/83854da7bd544d1f6ad6cd87fb56fc328326d4c1.pdf", "text": "https://archive.orkl.eu/83854da7bd544d1f6ad6cd87fb56fc328326d4c1.txt", "img": "https://archive.orkl.eu/83854da7bd544d1f6ad6cd87fb56fc328326d4c1.jpg" } }