{ "id": "115435ae-7454-4937-bcc4-59f46cb08ff7", "created_at": "2026-04-06T15:52:33.08478Z", "updated_at": "2026-04-10T03:21:42.904085Z", "deleted_at": null, "sha1_hash": "8c9f9ffaa0bc97cc41d2116ba3347686e805cae2", "title": "After hiatus, in-the-wild Mac backdoors are suddenly back", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34019, "plain_text": "After hiatus, in-the-wild Mac backdoors are suddenly back\r\nBy Dan Goodin\r\nPublished: 2016-07-06 · Archived: 2026-04-06 15:43:51 UTC\r\nAfter taking a hiatus, Mac malware is suddenly back, with three newly discovered strains that have access to Web\r\ncameras, password keychains, and pretty much every other resource on an infected machine.\r\nThe first one, dubbed Eleanor by researchers at antivirus provider Bitdefender, is hidden inside EasyDoc\r\nConverter, a malicious app that is, or at least was, available on a software download site called MacUpdate. When\r\ndouble clicked, EasyDoc silently installs a backdoor that provides remote access to a Mac’s file system and\r\nwebcam, making it possible for attackers to download files, install new apps, and watch users who are in front of\r\nan infected machine. Eleanor communicates with control servers over the Tor anonymity service to prevent them\r\nfrom being taken down or being used to identify the attackers.\r\n“This type of malware is particularly dangerous as it’s hard to detect and offers the attacker full control of the\r\ncompromised system,” Tiberius Axinte, technical leader of the Bitdefender Antimalware Lab, said in a blog post\r\npublished Wednesday. “For instance, someone can lock you out of your laptop, threaten to blackmail you to\r\nrestore your private files or transform your laptop into a botnet to attack other devices.”\r\nInterestingly, Eleanor won’t install itself if it detects a Mac is running Little Snitch, an application firewall that can\r\nmonitor and control applications’ access to the Internet, researchers from fellow antivirus provider Malwarebytes\r\nreported in their own Wednesday blog post.\r\nThe second recently discovered Mac malware package is known as Keydnap. Its main function is to siphon\r\npasswords and cryptographic keys stored in a Mac’s keychain feature. The developer openly lifted code from\r\nKeychaindump, a proof-of-concept app that streamlines the exfiltration of keychain contents when an attacker\r\nknows a Mac’s password. Like Eleanor, Keydnap also uses Tor to contact command and control servers.\r\nResearchers from Eset, the AV provider that disclosed the new malicious app, discovered a clever trick Keydnap\r\ndevelopers employ to increase the chances an end user will install the malware. Once unpacked from a zip file, the\r\ninstallation file contains a Mach-O executable that’s disguised to look like a benign text document or image file.\r\nImmediately following the .txt or .jpg extension, the developers added a space character. As a result, double-clicking on the file will launch the file in a Mac’s terminal window where it can then be executed.\r\nSource: https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/\r\nhttps://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/" ], "report_names": [ "after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back" ], "threat_actors": [], "ts_created_at": 1775490753, "ts_updated_at": 1775791302, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8c9f9ffaa0bc97cc41d2116ba3347686e805cae2.pdf", "text": "https://archive.orkl.eu/8c9f9ffaa0bc97cc41d2116ba3347686e805cae2.txt", "img": "https://archive.orkl.eu/8c9f9ffaa0bc97cc41d2116ba3347686e805cae2.jpg" } }