{
	"id": "a4e1f20a-45d4-4621-890c-991e12414081",
	"created_at": "2026-04-06T00:07:16.321056Z",
	"updated_at": "2026-04-10T13:12:27.643054Z",
	"deleted_at": null,
	"sha1_hash": "b76c026cf188360315911c69a865c39e6d7110b1",
	"title": "Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4818942,
	"plain_text": "Infect If Needed | A Deeper Dive Into Targeted Backdoor\r\nmacOS.Macma\r\nBy Phil Stokes\r\nPublished: 2021-11-15 · Archived: 2026-04-05 15:31:39 UTC\r\nLast week, Google’s Threat Analysis Group published details around what appears to be APT activity targeting,\r\namong others, Mac users visiting Hong Kong websites supporting pro-democracy activism. Google’s report\r\nfocused on the use of two vulnerabilities: a zero day and a N-day (a known vulnerability with an available patch).\r\nBy the time of Google’s publication both had, in fact, been patched for some months. What received less attention\r\nwas the malware that the vulnerabilities were leveraged to drop: a backdoor that works just fine even on the latest\r\npatched systems of macOS Monterey.\r\nGoogle labelled the backdoor “Macma”, and we will follow suit. Shortly after Google’s publication, a rapid triage\r\nof the backdoor was published by Objective-See (under the name “OSX.CDDS”). In this post, we take a deeper\r\ndive into macOS.Macma, reveal further IoCs to aid defenders and threat hunters, and speculate on some of\r\nmacOS.Macma’s (hitherto-unmentioned) interesting artifacts.\r\nHow macOS.Macma Gains Persistence\r\nThanks to the work of Google’s TAG team, we were able to grab two versions of the backdoor used by the threat\r\nactors, which we will label UserAgent 2019 and UserAgent 2021 . Both are interesting, but arguably the earlier\r\n2019 version has greater longevity since the delivery mechanism appears to work just fine on macOS Monterey.\r\nThe 2019 version of macOS.Macma will run just fine on macOS Monterey\r\nhttps://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nPage 1 of 11\n\nUserAgent 2019 is a Mach-O binary dropped by an application called “SafariFlashActivity.app”, itself contained\r\nin a .DMG file (the disk image sample found by Google has the name “install_flash_player_osx.dmg”).\r\nUserAgent 2021 is a standalone Mach-O binary and contains much the same functionality as the 2019 version\r\nalong with some added AV capture capabilities. This version of macOS.Macma is installed by a separate Mach-O\r\nbinary dropped when the threat actors leverage the vulnerabilities described in Google’s post.\r\nBoth versions install the same persistence agent, com.UserAgent.va.plist in the current user’s\r\n~/Library/LaunchAgents folder.\r\nMacma’s persistence agent, com.UserAgent.va.plist\r\nThe property list is worth pausing over as it contains some interesting features. First, aside from the path to the\r\nexecutable, we can see that the persistence agent passes two arguments to the malware before it is run: -runMode ,\r\nand ifneeded .\r\nThe agent also switches the current working directory to a custom folder, in which later will be deposited data\r\nfrom the separate keylogger module, among other things.\r\nWe find it interesting that the developer chose to include the LimitLoadToSessionType key with the value\r\n“Aqua”. The “Aqua” value ensures the LaunchAgent only runs when there is a logged in GUI user (as opposed to\r\nrunning as a background task or running when a user logs in via SSH). This is likely necessary to ensure other\r\nfunctionality, such as requesting that the user gives access to the Microphone and Accessibility features.\r\nhttps://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nPage 2 of 11\n\nVictims are prompted to allow macOS.Macma access to the Microphone\r\nHowever, since launchd defaults to “Aqua” when no key is specified at all, this inclusion is rather redundant.\r\nWe might speculate that the inclusion of the key here suggests the developer is familiar with developing other\r\nLaunchAgents in other contexts where other keys are indeed necessary.\r\nApplication Bundle Confusion Suggests A “Messy” Development Process\r\nSince we are discussing property lists, there’s some interesting artifacts in the SafariFlashActivity.app’s Info.plist,\r\nand that in turn led us to notice a number of other oddities in the bundle executables.\r\nOne of the great things about finding malware built into a bundle with an Info.plist is it gives away some\r\ninteresting details about when, and on what machine, the malware was built.\r\nhttps://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nPage 3 of 11\n\nmacOS.Macma was built on El Capitan\r\nIn this case, we see the malware was built on an El Capitan machine running build 15C43. That’s curious, because\r\nbuild 15C43 was never a public release build: it was a beta of El Capitan 11.2 available to developers and\r\nAppleSeed (Apple beta testers) briefly around October to November 2015. On December 8th, 2015, El Capitan\r\n11.2 was released with build number 15C50, superseding the previous public release of 11.1, build 15B42 from\r\nOctober 21st.\r\nAt this juncture, let’s note that the malware was signed with an ad hoc signature, meaning it did not require an\r\nApple Developer account or ID to satisfy code signing requirements.\r\nTherein lies an anomaly: the bundle was signed without needing a developer account, but it seems that the macOS\r\nversion used to create this version of macOS.Macma was indeed sourced from a developer account. Such an\r\naccount could possibly belong to the author(s); possibly be stolen, or possibly acquired with a fake ID. However,\r\nthe latter two scenarios seem inconsistent with the ad hoc signature. If the developer had a fake or stolen Apple\r\nID, why not codesign it with that for added credibility?\r\nWhile we’re speculating about the developer or developers’ identities, two other artifacts in the bundle are worthy\r\nof mention. The main executable in ../MacOS is called “SafariFlashActivity” and was apparently compiled on\r\nSept 16th, 2019. In the ../Resources folder, we see what appears to be an earlier version of the executable,\r\n“SafariFlashActivity1”, built some nine days earlier on Sept 7th.\r\nWhile these two executables share a large amount of code and functionality, there are also a number of differences\r\nbetween them. Perhaps the most intriguing are that they appear – by accident or by design – to have been created\r\nby two entirely different users.\r\nhttps://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nPage 4 of 11\n\nUser strings from two binaries in the same macOS.Macma bundle\r\nThe user account “lifei” (speculatively, Li Fei, a common-enough Chinese name) seems to have replaced the user\r\naccount “lxk”. Of course, it could be the same person operating different user accounts, or two entirely different\r\nindividuals building separately from a common project. Indeed, there are sufficiently large differences in the code\r\nin such a short space of time to make it plausible to suggest that two developers were working independently on\r\nthe same project and that one was chosen over the other for the final executable embedded in the ../MacOs\r\nfolder.\r\nNote that in the “lifei” builds, we see both the use of “Mac_Ma” for the first time, and “preexcel” — used as the\r\nteam identifier in the final code signature. Neither of these appear in the “lxk” build, where “SafariFlashActivity”\r\nappears to be the project name. This bifurcation even extends to an unusual inconsistency between the identifier\r\nused in the bundle and that used in the code signature, where one is xxxxx.SafariFlashActivity and the other is\r\nxxxxxx.preexcl-project .\r\nInconsistent identifiers used in the bundle and code signature of macOS.Macma\r\nIn any case, the string “lifei” is found in several of the other binaries in the 2019 version of macOS.Macma,\r\nwhereas “lxk” is not seen again. In the 2021 version, both “lifei” and “lxk” and all other developer artifacts have\r\ndisappeared entirely from both the installer and UserAgent binaries, suggesting that the development process had\r\nbeen deliberately cleaned up.\r\nhttps://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nPage 5 of 11\n\nUser lifei’s “Macma” seems to have won the ‘battle of the devs’\r\nFinally, if we return to the various (admittedly, falsifiable) compilation dates found in the bundle, there is another\r\ncuriosity: we noted that the malware appears to have been compiled on a 2015 developer build of macOS, yet the\r\nInfo.plist has a copyright date of 2018, and the executables in this bundle were built well-over 3 years later in\r\nSeptember 2019 according to the (entirely manipulatable) timestamps.\r\nWhat can we conclude from all these tangled weeds? Nothing concrete, admittedly. But there do seem to be two\r\nplausible, if competing, narratives: perhaps the threat actor went to extraordinary, and likely unnecessary, lengths\r\nto muddle the artifacts in these binaries. Alternatively, the threat actor had a somewhat confused development\r\nprocess with more than one developer and changing requirements. No doubt the truth is far more complex, but\r\ngiven the nature of the artifacts above, we suspect the latter may well be at least part of the story.\r\nFor defenders, all this provides a plethora of collectible artifacts that may, perhaps, help us to identify this\r\nmalware or track this threat actor in future incidents.\r\nmacOS.Macma – Links To Android and Linux Malware?\r\nThings start to get even more interesting when we take a look at artifacts in the executable code itself. As we noted\r\nin the introduction, an early report on this malware dubbed it “OSX.CDDS”. We can see why. The code is littered\r\nwith methods prefixed with CDDS.\r\nhttps://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nPage 6 of 11\n\nSome of the CDDS methods found in the 2021 UserAgent executable\r\nThat code, according to Google TAG, is an implementation for a DDS – Data Distribution Service –  framework.\r\nWhile our searches turned up blank trying to find a specific implementation of DDS that matched the functions\r\nused in macOS.Macma, we did find other malware that uses the same framework.\r\nAndroid malware drops an ELF bin that contains the same CDDS framework\r\nhttps://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nPage 7 of 11\n\nLinks to known Android malware droppers\r\nThese ELF bins and both versions of macOS.Macma’s UserAgent also share another commonality, the strings\r\n“Octstr2Dec” and “Dec2Octstr”.\r\nCommonalities between macOS.Macma and a malicious ELF Shared object file\r\nThese latter strings, which appear to be conversions for strings containing octals and decimals, may simply be a\r\nmatter of coincidence or of code reuse. The code similarities we found also have links back to installers for the\r\nnotorious Shedun Android malware.\r\nIn their report, Google’s TAG pointed out that macOS.Macma was associated with an iOS exploit chain that they\r\nhad not been able to entirely recover. Our analysis suggests that the actors behind macOS.Macma at least were\r\nreusing code from ELF/Android developers and possibly could have also been targeting Android phones with\r\nmalware as well. Further analysis is needed to see how far these connections extend.\r\nMacma’s Keylogger and AV Capture Functionality\r\nWhile the earlier reports referred to above have already covered the basics of macOS.Macma functionality, we\r\nwant to expand on previous reporting to reveal further IoCs.\r\nhttps://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nPage 8 of 11\n\nAs previously mentioned, macOS.Macma will drop a persistence agent at\r\n~/Library/LaunchAgents/com.UserAgent.va.plist and an executable at\r\n~/Library/Preferences/lib/UserAgent .\r\nAs we noted above, the LaunchAgent will ensure that before the job starts, the executable’s current working\r\ndirectory will be changed to the aforementioned “lib” folder. This folder is used as a repository for data culled by\r\nthe keylogger, “kAgent”, which itself is dropped at ~/Library/Preferences/Tools/ , along with the “at” and\r\n“arch” Mach-O binaries.\r\nBinaries dropped by macOS.Macma\r\nThe kAgent keylogger creates text files of captured keystrokes from any text input field, including Spotlight,\r\nFinder, Safari, Mail, Messages and other apps that have text fields for passwords and so on. The text files are\r\ncreated with Unix timestamps for names and collected in directories called “data”.\r\nThe file 1636804188 contains data captured by the keylogger\r\nWe also note that this malware reaches out to a remote .php file to return the user’s IP address. The same URL has\r\na long history of use.\r\nhttp:\r\nhttps://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nPage 9 of 11\n\nBoth Android and macOS malware ping this URL\r\nFinally, one further IoC we noted in the ../MacOS/SafariFlashActivity “lifei” binary that never appeared\r\nanywhere else, and we also did not see dropped on any of our test runs, was:\r\n/Users/%s/Library/Safari/Safari.app/Contents/MacOS/UpdateHelper\r\nMalware tries to drop a file in the Safari folder\r\nThis is worth mentioning since the target folder, the User’s Library/Safari folder, is TCC protected since Mojave.\r\nFor that reason, any attempt to install there would fall afoul of current TCC protections (bypasses\r\nnotwithstanding). It looks, therefore, like a remnant of the earlier code development from El Capitan era, and\r\nindeed we do not see this string in later versions. However, it’s unique enough for defenders to watch out for:\r\nthere’s never any legitimate reason for an executable at this path to exist on any version of macOS.\r\nConclusion\r\nCatching APTs targeting macOS users is a rare event, and we are lucky in this instance to have a fairly transparent\r\nview of the malware being dropped. Regardless of the vector used to drop the malware, the payload itself is\r\nperfectly functional and capable of exfiltrating data and spying on macOS users. It’s just another reminder, if one\r\nwere needed, that simply investing in a Mac does not guarantee you safe passage against bad actors. This may\r\nhave been an APT-developed payload, but the code is simple enough for anyone interested in malfeasance to\r\nreproduce.\r\nIndicators of Compromise\r\nhttps://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nPage 10 of 11\n\nSHA1\r\n000830573ff24345d88ef7916f9745aff5ee813d; UserAgent 2021 payload, Mach-O\r\n07f8549d2a8cc76023acee374c18bbe31bb19d91; UserAgent 2019, Mach-0\r\n0e7b90ec564cb3b6ea080be2829b1a593fff009f; (Related) ELF DYN Shared object file\r\n2303a9c0092f9b0ccac8536419ee48626a253f94; UserAgent 2021 installer, Mach-0\r\n31f0642fe76b2bdf694710a0741e9a153e04b485; SafariFlashActivity1, Mach-0\r\n734070ae052939c946d096a13bc4a78d0265a3a2; (Related) ELF DYN Shared object file\r\n77a86a6b26a6d0f15f0cb40df62c88249ba80773; at, Mach-0\r\n941e8f52f49aa387a315a0238cff8e043e2a7222; install_flash_player_osx.dmg, DMG\r\nb2f0dae9f5b4f9d62b73d24f1f52dcb6d66d2f52; client, Mach-0\r\nb6a11933b95ad1f8c2ad97afedd49a188e0587d2; SafariFlashActivity, Mach-0\r\nc4511ad16564eabb2c179d2e36f3f1e59a3f1346; arch, Mach-0\r\nf7549ff73f9ce9f83f8181255de7c3f24ffb2237; SafariFlashActivityInstall, shell script\r\nFile Paths\r\n~/Library/Preferences/Tools/at\r\n~/Library/Preferences/Tools/arch\r\n~/Library/Preferences/Tools/kAgent\r\n~/Library/LaunchAgents/com.UserAgent.va.plist\r\n~/Library/Preferences/UserAgent/lib/Data/\r\n~/Library/Preferences/UserAgent/lib/UserAgent\r\n~/Library/Safari/Safari.app/Contents/MacOS/UpdateHelper\r\nIdentifiers\r\nxxxxx.SafariFlashActivity\r\nxxxxxx.preexcl.project\r\nSource: https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nhttps://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/"
	],
	"report_names": [
		"infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma"
	],
	"threat_actors": [],
	"ts_created_at": 1775434036,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b76c026cf188360315911c69a865c39e6d7110b1.pdf",
		"text": "https://archive.orkl.eu/b76c026cf188360315911c69a865c39e6d7110b1.txt",
		"img": "https://archive.orkl.eu/b76c026cf188360315911c69a865c39e6d7110b1.jpg"
	}
}