{
	"id": "89cd7550-24d7-4c4c-a237-25adcaa36cbd",
	"created_at": "2026-04-06T00:21:11.688429Z",
	"updated_at": "2026-04-10T03:32:26.557768Z",
	"deleted_at": null,
	"sha1_hash": "b96409cb32ad3c3ed31b7ce2b370a5a96cbd7d3a",
	"title": "Good old malware for the new Apple Silicon platform",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 447176,
	"plain_text": "Good old malware for the new Apple Silicon platform\r\nBy Ilya Mogilin\r\nPublished: 2021-03-12 · Archived: 2026-04-05 16:18:24 UTC\r\nIntroduction\r\nA short while ago, Apple released Mac computers with the new chip called Apple M1. The unexpected release was\r\na milestone in the Apple hardware industry. However, as technology evolves, we also observe a growing interest\r\nin the newly released platform from malware adversaries. This inevitably leads us to new malware samples\r\ncompiled for the Apple Silicon platform. In this article, we are going to take a look at threats for Macs with the\r\nApple M1 chip on board. Also, we prepared a short F.A.Q. section at the end of the article for those who want to\r\nunderstand better the security risks of M1 malware. Let’s dive in.\r\nXCSSET malware\r\nLast year, a threat called XCSSET was discovered for the first time. It targets mainly Mac developers using a\r\nunique way of distribution: injecting a malicious payload into Xcode IDE projects on the victim’s Mac. This\r\npayload will be executed at the time of building project files in Xcode. XCSSET modules have numerous\r\ncapabilities, such as:\r\nReading and dumping Safari cookies,\r\nInjecting malicious JavaScript code into various websites,\r\nStealing user files and information from applications, such as Notes, WeChat, Skype, Telegram, etc.,\r\nEncrypting user files.\r\nAll these various features, in combination with high stealth and an unusual way of distribution, make XCSSET a\r\ndangerous threat for Mac computers.\r\nWhile exploring the various executable modules of XCSSET, we found out that some of them also contained\r\nsamples compiled specially for new Apple Silicon chips. For example, a sample with the MD5 hash sum\r\n914e49921c19fffd7443deee6ee161a4 contains two architectures: x86_64 and ARM64.\r\nhttps://securelist.com/malware-for-the-new-apple-silicon-platform/101137/\r\nPage 1 of 5\n\nThe first one corresponds to previous-generation, Intel-based Mac computers, but the second one is compiled for\r\nARM64 architecture, which means that it can run on computers with the new Apple M1 chip. According to\r\nVirusTotal, this sample was first uploaded on 2021-02-24 21:06:05 and the original research report did not contain\r\nthis hash or a module named “metald”, the name of the executable file. With this information on hand, we can\r\nassume that the XCSSET campaign is probably still ongoing. This leads us to the thought that more and more\r\nmalware writers are actively recompiling their samples to have an opportunity to run on new Apple Silicon Macs\r\nnatively.\r\nSilver Sparrow threat\r\nXCSSET is not the only family which has adapted to run natively on Apple Silicon. According to a RedCanary\r\nreport, a new threat called Silver Sparrow has been identified. This threat introduces a new way for malware\r\nwriters to abuse the default packaging functionality: instead of placing a malicious payload in preinstall or\r\npostinstall scripts, malware writers hid one in the Distribution XML file.\r\nThis payload uses JavaScript API to run bash commands in order to download a JSON configuration file.\r\nDownloading of JSON config\r\nAnd after successfully downloading that configuration file, the sample extracts a URL from the downloadURL\r\nfield for the next download.\r\nhttps://securelist.com/malware-for-the-new-apple-silicon-platform/101137/\r\nPage 2 of 5\n\nDownloading and executing a payload\r\nAlso, an appropriate Launch Agent is created for persistent execution of the malicious sample.\r\nMalware persistence\r\nThis JavaScript payload can be executed regardless of chip architecture, but in the package file with the MD5 hash\r\nsum fdd6fb2b1dfe07b0e57d4cbfef9c8149, there is a “fat” Mach-O containing two supported architectures\r\n(ARM64 and x86_64), as compared to the old package with the MD5 hash sum\r\n30c9bc7d40454e501c358f77449071aa. This means that the malware actors are trying to expand their attack\r\ncoverage by supporting a wider range of platforms.\r\nAdware threats for the new platform\r\nHowever, there are not just malware samples that can be launched on Apple Silicon. A known Mac malware\r\nresearcher Patrick Wardle recently published a post covering Pirrit adware. Though it is an old and well-known\r\nadware family, it is still actively updated by their authors and new samples are encountered in the wild quite often.\r\nThese updates include:\r\nAnti-debug techniques such as using ptrace syscall with a PT_DENY_ATTACH flag,\r\nControl flow obfuscation techniques,\r\nDynamic imports with dlsym calls to avoid static analysis,\r\nVirtual machine detection anti-analysis.\r\nhttps://securelist.com/malware-for-the-new-apple-silicon-platform/101137/\r\nPage 3 of 5\n\nControl flow obfuscation; dynamic symbols resolving with dlsym\r\nBesides these improvements in regular Intel x86_64 samples, new ARM64 samples were introduced. These are\r\ncrafted specifically for the Apple Silicon M1 chip, but the consequences of running these are roughly the same:\r\nlaunching Pirrit adware results in pop-ups, banners and various annoying advertisements displayed on the victim’s\r\nMac.\r\nPirrit is not the only adware family to have begun supporting the Apple Silicon platform recently. For example, we\r\nalso observed an ARM64 Bnodlero adware sample (MD5 82e02c1ca8dfb4c60ee98dc877ce77c5), which runs a\r\nbash downloader script using the system() function.\r\nBash downloader executed by Bnodlero sample\r\nFrequently Asked Questions\r\nWhat is so special about M1 threats?\r\nhttps://securelist.com/malware-for-the-new-apple-silicon-platform/101137/\r\nPage 4 of 5\n\nWell, there is not much special about them, frankly speaking. The only thing that distinguishes the new Apple M1\r\nthreats from previous ones targeting Intel-based Mac computers is the architecture of the Mac processor for which\r\nthe executable is compiled. In order to get their applications to run on Apple Silicon, software developers should\r\nrecompile their code into executables which can run on the M1 chip. The same is true for malware adversaries.\r\nIs Apple M1 chip less secure than Intel ones?\r\nNo, it is just a matter of platform support in malware executables.\r\nAre Intel-based Macs affected by M1 threats?\r\nYes and no. On the one hand, code that is compiled exclusively for the Apple Silicon platform cannot be natively\r\nexecuted on the Intel x86_64 architecture. On the other hand, malicious samples are often delivered in so-called\r\n“fat” Mach-O, which usually contains the same code but is compiled for several architectures. This means that\r\nrunning this “fat” executable will result in launching the right malicious code depending on your platform\r\narchitecture. Pirrit and Bnodlero samples are great examples of this approach.\r\nCan threats for Intel-based Macs run on Apple M1?\r\nYes, they can. Due to the Rosetta 2 feature, newly released Mac computers with Apple M1 can also run malicious\r\ncode written exclusively for Intel x86_64 architecture. This backward compatibility will certainly be abused by\r\nmalware operators until Apple completes the transition to their proprietary chips.\r\nIs there an upward trend in M1 malware?\r\nYes, there certainly is, and it is absolutely to be expected. As soon as a platform becomes more popular or highly\r\nanticipated, developers try to ensure that their software is available for it. Malware developers are no exception.\r\nConclusion\r\nWith the new M1 chip, Apple has certainly pushed its performance and energy saving limits on Mac computers,\r\nbut malware developers kept an eye on those innovations and quickly adapted their executables to Apple Silicon\r\nby porting the code to the ARM64 architecture.\r\nWe have observed various attempts to port executables not just among typical adware such as Pirrit or Bnodlero\r\nsamples, but also among malicious packages, such as the Silver Sparrow threat and XCSSET downloadable\r\nmalicious modules. This certainly will give a kickstart to other malware adversaries to begin adapting their code\r\nfor running on Apple M1 chips.\r\nSource: https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/\r\nhttps://securelist.com/malware-for-the-new-apple-silicon-platform/101137/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/"
	],
	"report_names": [
		"101137"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "cfdd35af-bd12-4c03-8737-08fca638346d",
			"created_at": "2022-10-25T16:07:24.165595Z",
			"updated_at": "2026-04-10T02:00:04.887031Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Cosmic Wolf",
				"Marbled Dust",
				"Silicon",
				"Teal Kurma",
				"UNC1326"
			],
			"source_name": "ETDA:Sea Turtle",
			"tools": [
				"Drupalgeddon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "33ae2a40-02cd-4dba-8461-d0a50e75578b",
			"created_at": "2023-01-06T13:46:38.947314Z",
			"updated_at": "2026-04-10T02:00:03.155091Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"UNC1326",
				"COSMIC WOLF",
				"Marbled Dust",
				"SILICON",
				"Teal Kurma"
			],
			"source_name": "MISPGALAXY:Sea Turtle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "62b1b01f-168d-42db-afa1-29d794abc25f",
			"created_at": "2025-04-23T02:00:55.22426Z",
			"updated_at": "2026-04-10T02:00:05.358041Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Sea Turtle",
				"Teal Kurma",
				"Marbled Dust",
				"Cosmic Wolf",
				"SILICON"
			],
			"source_name": "MITRE:Sea Turtle",
			"tools": [
				"SnappyTCP"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434871,
	"ts_updated_at": 1775791946,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b96409cb32ad3c3ed31b7ce2b370a5a96cbd7d3a.pdf",
		"text": "https://archive.orkl.eu/b96409cb32ad3c3ed31b7ce2b370a5a96cbd7d3a.txt",
		"img": "https://archive.orkl.eu/b96409cb32ad3c3ed31b7ce2b370a5a96cbd7d3a.jpg"
	}
}