{
	"id": "de76bddf-c26a-4fb8-b0ff-b806cff4df63",
	"created_at": "2026-04-06T01:31:52.804458Z",
	"updated_at": "2026-04-10T03:21:47.227879Z",
	"deleted_at": null,
	"sha1_hash": "ca93d68ce62f38bf565b5959a33289dacd084fa4",
	"title": "Watering hole deploys new macOS malware, DazzleSpy, in Asia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1736652,
	"plain_text": "Watering hole deploys new macOS malware, DazzleSpy, in Asia\r\nBy Marc-Etienne M.LéveilléAnton Cherepanov\r\nArchived: 2026-04-06 00:37:52 UTC\r\nOn November 11\r\nth\r\n, Google TAG published a blogpost about watering-hole attacks leading to exploits for the\r\nSafari web browser running on macOS. ESET researchers had been investigating this campaign the week before\r\nthat publication, uncovering additional details about the targets and malware used to compromise its victims. Here\r\nwe provide a breakdown of the WebKit exploit used to compromise Mac users and an analysis of the payload,\r\nwhich is a new malware family targeting macOS. But first, let’s look at how victims came into contact with the\r\nmalicious code in the first place.\r\nTargets\r\nIt was reported by Felix Aimé from SEKOIA.IO that one of the websites used to propagate the exploits was a fake\r\nwebsite targeting Hong Kong activists. We can read on its home page “Liberate Hong Kong, the revolution of our\r\ntimes”. The very recent registration date of the fightforhk[.]com domain, October 19th, 2021, and the fact that the\r\nwebsite is no longer accessible, supports that idea. We could also confirm that the Internet Archive cached a copy\r\nof the web page on November 13th. This copy includes the malicious iframe, as seen in Figure 1.\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 1 of 18\n\nFigure 1. fightforhk[.]com, as archived by the Wayback Machine on November 13th\r\n \r\nESET researchers found another website, this time legitimate but compromised, that also distributed the same\r\nexploit during the few months prior to the Google TAG publication: the online, Hong Kong, pro-democracy radio\r\nstation D100. As seen in Figure 2, an iframe was injected into pages served by bc.d100[.]net – the section of the\r\nwebsite used by subscribers – between September 30th and November 4th 2021.\r\nBoth distribution methods have something in common: they attract visitors from Hong Kong with pro-democracy\r\nsympathies. It seems that they were the primary target of this threat.\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 2 of 18\n\nFigure 2. Excerpt of https://bc.d100[.]net/Product/Subscription on November 4th 2021\r\nThe exploit chain\r\nAs seen in Figure 3, the page hosted on the malicious amnestyhk[.]org domain checks for the installed macOS\r\nversion and redirects to the next stage if the browser is running on macOS 10.15.2 or newer.\r\nFigure 3. Content of the defaultaa.html page on amnestyhk[.]org\r\n \r\nThe next stage, named 4ba29d5b72266b28.html (see Figure 4) simply loads the JavaScript containing the exploit\r\ncode – mac.js.\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 3 of 18\n\nFigure 4. Content of the 4ba29d5b72266b28.html page\r\nNote that the script tag to load caps.js has been commented out. The previous version of the exploit loaded\r\nCapstone.js from that file, while in the new version, Capstone.js is prepended to the exploit code in mac.js.\r\nThe WebKit exploit\r\nThe exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code\r\nonce formatted nicely. It’s interesting to note that some code, which suggests the vulnerability could also have\r\nbeen exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices such as the iPhone XS\r\nand newer, has been commented out, as seen in Figure 5.\r\nFigure 5. Excerpt of the JavaScript exploit containing comments about how to target iOS and PAC-enabled\r\ndevices\r\nWe have confirmed that the patch identified by Google TAG does fix the vulnerability. While it is possible this\r\nvulnerability was assigned CVE-2021-1789, we couldn’t confirm due to the lack of publicly available technical\r\ndetails. Below we outline our understanding of how the vulnerability affects Safari versions prior to 14.1.\r\nThe exploit implements two primitives to gain memory read and write access: one to leak the address of an object\r\n(addrof) and one to create a fake JavaScript object from a given memory address (fakeobj). Using these two\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 4 of 18\n\nfunctions, the exploit creates two arrays of different types that overlap in memory, and thus is able to set a value in\r\none of them that is treated as a pointer when accessed using the other. The technique is well described by Samuel\r\nGroß in his multiple publications on the subject. Below we explain the vulnerability that made the leakage of\r\nobject addresses possible.\r\nThe exploit relies on a side effect caused by modifying an object property to be accessible via a “getter” function\r\nwhile enumerating the object’s properties in JIT-compiled code. The JavaScript engine erroneously speculates that\r\nthe value of the property is cached in an array and is not the result of calling the getter function. We have extracted\r\nthe relevant part of the code that enables the addrof primitive, which you can see in Figure 6. Comments starting\r\nwith (e)r are from ESET Research.\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 5 of 18\n\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 6 of 18\n\nFigure 6. Commented excerpt of the exploit enabling the leak of object addresses\r\nThe first corruption happening here is the result of bar(vic). The function will return a pointer to a JSCell object\r\n(to be more precise, a GetterSetter), which should never be accessible from the JavaScript code. Here is the result\r\nof describe(bar(vic)) in a JavaScriptCore console:\r\nCell: 0x7fffb34dc080 (0x7ffff38cc4c8:[0x3af5, GetterSetter, {}, NonArray, Leaf]), StructureID: 15093\r\nThis JSCell is then converted to a JSObject by calling the JavaScript Object function. Internally, this results in\r\ncalling the JSCell’s toObject method. There is no implementation for converting a GetterSetter to a JSObject and\r\nthe code will eventually fall back and assume its type is a Symbol. The GetterSetter will erroneously be cast to a\r\nSymbol. You may have noticed the assertion that the cell type is a Symbol before performing the cast in the code;\r\nhowever, the ASSERT macro in WebKit is compiled out of release builds.\r\nIn memory, the location of getter[0] is the same as this corrupted symbol’s value. Thus, reassigning a value to\r\ngetter[0] will change the value of the symbol. Its value is fetched from JavaScript using its toString method.\r\nThe updated JavaScriptCore code now checks whether the object contains properties with GetterSetter after the\r\nproperty enumeration, before considering whether the object’s attribute can be accessed “quickly”.\r\nDetailing the fake object creation would require an article of its own. In short, it abuses the same bug, although\r\nthis time the object is manipulated in a way that the JIT-compiled code accesses an item that is out-of-bounds and\r\nreturns an address that was carefully sprayed on the heap before the fetch.\r\nThe rest of the code allows bypassing mitigations, such as the Gigacage, and loads the next stage.\r\nAs explained by Google TAG, the JavaScript loads a Mach-O executable file in memory. The rudimentary loader\r\ndoes not implement importing symbols from external libraries; instead, the addresses of dlopen and dlsym are\r\npatched into the loaded Mach-O. These can then be used from the executable to dynamically load and get the\r\naddresses of functions from external libraries.\r\nPrivilege escalation to root\r\nNow that code execution has been gained, the next stage is a Mach-O that is loaded into memory and executed.\r\nThis Mach-O exploits a local privilege escalation vulnerability to run the next stage as root. Our examination\r\nconfirms Google’s analysis that the exploited vulnerability was described by Xinru Chi and Tielei Wang in a\r\npresentation at zer0con 2021, but it was also presented in more details at MOSEC 2021 by Tielei Wang. The\r\nvulnerability has been assigned CVE-2021-30869. Figure 7 shows a call to a function Tielei Wang called\r\nadjust_port_type in his last presentation. This function, responsible for changing the internal type of a Mach port,\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 7 of 18\n\nis implemented the same way in the Mach-O as was presented at MOSEC. Changing the type of a Mach port\r\nshouldn’t be possible unless a vulnerability exists.\r\nFigure 7. Altering the port type from IKOT_NAMED_ENTRY to IKOT_HOST_PRIV to gain access to special\r\n(privileged) Mach ports\r\nTo summarize, the Mach-O does the following:\r\n1. Downloads a file from the URL supplied as an argument\r\n2. Decrypts this file using AES-128-EBC and TEA with a custom delta\r\n3. Writes the resulting file to $TMPDIR/airportpaird and makes it executable\r\n4. Uses the privilege escalation exploit to remove the com.apple.quarantineattribute from the file to avoid\r\nasking the user to confirm the launch of the unsigned executable\r\n5. Uses the same privilege escalation to launch the next stage with root privileges\r\nThe decrypted payload is where our analysis differs the most from what was described by Google TAG: the\r\npayload delivered to vulnerable visitors to the D100 site was new macOS malware we've named DazzleSpy.\r\nDazzleSpy\r\nDazzleSpy is a full-featured backdoor that provides attackers a large set of functionalities to control, and exfiltrate\r\nfiles from, a compromised computer. Our sample is a Mach-O binary file compiled for x86_64 CPU architecture.\r\nPersistence\r\nIn order to persist on the compromised device, the malware adds a Property List file (plist; see Figure 8) named\r\ncom.apple.softwareupdate.plist to the LaunchAgents folder. The malware executable file is named softwareupdate\r\nand saved in the $HOME/.local/ folder.\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 8 of 18\n\nFigure 8. Property List file in LaunchAgents folder\r\nC\u0026C communications\r\nDazzleSpy connects to a hardcoded C\u0026C server; the IP address and port found in the sample we decrypted was\r\n88.218.192[.]128:5633. At first, the malware performs a TLS handshake, then uses a custom protocol to exchange\r\nJSON objects to deliver commands from the C\u0026C server to compromised Macs. DazzleSpy’s binary contains an\r\nX.509 certificate used as a certificate authority (CA). It verifies that the server’s certificate is issued by that\r\nauthority. In practice, the same self-signed certificate is used for both the CA and the C\u0026C server. The technique\r\nprotects the malware’s communications from potential eavesdropping by refusing to send data if end-to-end\r\nencryption is not possible.\r\nTable 1 contains the list of commands supported by DazzleSpy. The first column is the name of the command that\r\nmust be present in the JSON object received from the C\u0026C server; many support optional or mandatory\r\nparameters.\r\nTable 1. DazzleSpy C\u0026C commands\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 9 of 18\n\nCommand name Purpose\r\nheartbeat Sends heartbeat response.\r\ninfo\r\nCollects information about compromised computer, including:\r\n • Hardware UUID and Mac serial number\r\n • Username\r\n • Information about disks and their sizes\r\n • macOS version\r\n • Current date and time\r\n • Wi-Fi SSID\r\n • IP addresses\r\n • Malware binary path and MD5 hash of the main executable\r\n • Malware version\r\n • System Integrity Protection status\r\n • Current privileges\r\n • Whether it’s possible to use CVE-2019-8526 to dump the keychain\r\nsearchFile Searches for the specified file on the compromised computer.\r\nscanFiles Enumerates files in Desktop, Downloads, and Documents folders.\r\ncmd Executes the supplied shell command.\r\nrestartCMD Restarts shell session.\r\nrestart\r\nDepending on the supplied parameter: restarts C\u0026C command session, shell session or\r\nRDP session, or cleans possible malware traces (fsck_hfs.log file and application logs).\r\nprocessInfo Enumerates running processes.\r\nkeychain\r\nDumps the keychain using a CVE-2019-8526 exploit if the macOS version is lower than\r\n10.14.4. The public KeySteal implementation is used.\r\ndownloadFileInfo\r\nEnumerates the supplied folder, or provides creation and modification timestamps and\r\nSHA-1 hash for a supplied filename.\r\ndownloadFile Exfiltrates a file from the supplied path.\r\nfile\r\nFile operations: provides information, renames, removes, moves, or runs a file at the\r\nsupplied path.\r\nuninstall Deletes itself from the compromised computer.\r\nRDPInfo Provides information about a remote screen session.\r\nRDP Starts or ends a remote screen session.\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 10 of 18\n\nCommand name Purpose\r\nmouseEvent Provides mouse events for a remote screen session.\r\nacceptFileInfo\r\nPrepares for file transfer (creates the folder at the supplied path, changes file attributes if\r\nit exists).\r\nacceptFile\r\nWrites the supplied file to disk. With additional parameters, updates itself or writes files\r\nrequired for exploiting the CVE-2019-8526 vulnerability.\r\nsocks5 Starts or ends SOCKS5 session (not implemented).\r\nrecoveryInfo\r\nThese seem like file recovery functions that involve scanning a partition. These\r\nfunctions do not seem to work and are probably still in development; they contain lots of\r\nhardcoded values.\r\nrecovery #rowspan#\r\nArtifacts\r\nWhile analyzing the DazzleSpy binary we found a number of interesting artifacts that might suggest an internal\r\nname for the malware and the authors’ origin.\r\nIn several places (for example, see Figure 9) the malware refers to osxrk and the string 1.1.0 seems likely to be an\r\ninternal version number.\r\nFigure 9. Possible internal name and version number of the DazzleSpy malware\r\nMoreover, it seems DazzleSpy’s authors were not so concerned about operational security as they have left the\r\nusername wangping in paths embedded in the binary. Figure 10 contains paths that reveal this username and\r\ninternal module names.\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 11 of 18\n\nFigure 10. Paths embedded in the DazzleSpy binary\r\nOnce the malware obtains the current date and time on a compromised computer, as you see in Figure 11, it\r\nconverts the obtained date to the Asia/Shanghai time zone (aka China Standard Time), before sending it to the\r\nC\u0026C server.\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 12 of 18\n\nFigure 11. Decompiled code of the getSystemDate function\r\nIn addition, it should be noted that the DazzleSpy malware contains a number of internal messages in Chinese, for\r\nexample as seen in Figure 12.\r\nFigure 12. Internal error message in Chinese\r\nConclusion\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 13 of 18\n\nGiven the complexity of the exploits used in this campaign, we assess that the group behind this operation has\r\nstrong technical capabilities. While there is information published online about the local privilege escalation\r\n(LPE) vulnerability used here, we couldn’t find anything about the specific WebKit vulnerability used to gain code\r\nexecution in Safari. It’s also interesting that end-to-end encryption is enforced in DazzleSpy and it won’t\r\ncommunicate with its C\u0026C server if anyone tries to eavesdrop on the unencrypted transmission by inserting a\r\nTLS-inspection proxy between the compromised system and the C\u0026C server.\r\nThe watering-hole operations this group has pursued show that its targets are likely to be politically active, pro-democracy individuals in Hong Kong. This campaign has similarities with one from 2020 where LightSpy iOS\r\nmalware (described by TrendMicro and Kaspersky) was distributed the same way, using iframe injection on\r\nwebsites for Hong Kong citizens leading to a WebKit exploit. We cannot confirm at this point whether both\r\ncampaigns are from the same group, but ESET Research will continue to track and report on similar malicious\r\nactivities.\r\nIndicators of Compromise (IoCs)\r\nSamples\r\nSHA-1 Filename ESET detection name Description\r\nF3772A23595C0B51AE32D8E7D601ACBE530C7E97 mac.js JS/Exploit.Agent.NQK\r\nJavaScript\r\ncode with\r\nWebKit\r\nexploit\r\nlaunching\r\nan LPE.\r\n95889E0EF3D31367583DD31FB5F25743FE92D81D N/A OSX/Exploit.Agent.C\r\nMach-O file\r\nwith LPE\r\nlaunching\r\nnext stage.\r\nEE0678E58868EBD6603CC2E06A134680D2012C1B server.enc OSX/DazzleSpy\r\nDazzleSpy\r\nMach-O\r\nafter\r\ndecryption\r\nof\r\nserver.enc.\r\nFilenames\r\n$HOME/Library/LaunchAgents/com.apple.softwareupdate.plist\r\n$HOME/.local/softwareupdate\r\n$HOME/.local/security.zip\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 14 of 18\n\n$HOME/.local/security/keystealDaemon\r\n$HOME/.local/security/libkeystealClient.dylib\r\nNetwork\r\nURLs of Safari exploit\r\nhttps://amnestyhk[.]org/ss/defaultaa.html\r\nhttps://amnestyhk[.]org/ss/4ba29d5b72266b28.html\r\nhttps://amnestyhk[.]org/ss/mac.js\r\nhttps://amnestyhk[.]org/ss/server.enc\r\nDazzleSpy C\u0026C server\r\n88.218.192[.]128:5633\r\nDazzleSpy CA certificate\r\nSHA-256: 1F862B89CC5557F8309A6739DF30DC4AB0865668193FDFF70BA93F05D4F8C8B8\r\nCertificate:\r\nData:\r\nVersion: 1 (0x0)\r\nSerial Number: 10557282746731470350 (0x928300b9284a1e0e)\r\nSignature Algorithm: sha256WithRSAEncryption\r\nIssuer: C=11, ST=11, L=11, O=11, OU=11, CN=11/emailAddress=11@qq.com\r\nValidity\r\nNot Before: May 18 07:26:17 2021 GMT\r\nNot After : May 16 07:26:17 2031 GMT\r\nSubject: C=11, ST=11, L=11, O=11, OU=11, CN=11/emailAddress=11@qq.com\r\n Subject Public Key Info:\r\nPublic Key Algorithm: rsaEncryption\r\nPublic-Key: (2048 bit)\r\nModulus: …\r\nExponent: 65537 (0x10001)\r\nSignature Algorithm: sha256WithRSAEncryption\r\n-----BEGIN CERTIFICATE-----\r\nMIIDTDCCAjQCCQCSgwC5KEoeDjANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwIx\r\nMTELMAkGA1UECAwCMTExCzAJBgNVBAcMAjExMQswCQYDVQQKDAIxMTELMAkGA1UE\r\nCwwCMTExCzAJBgNVBAMMAjExMRgwFgYJKoZIhvcNAQkBFgkxMUBxcS5jb20wHhcN\r\nMjEwNTE4MDcyNjE3WhcNMzEwNTE2MDcyNjE3WjBoMQswCQYDVQQGEwIxMTELMAkG\r\nA1UECAwCMTExCzAJBgNVBAcMAjExMQswCQYDVQQKDAIxMTELMAkGA1UECwwCMTEx\r\nCzAJBgNVBAMMAjExMRgwFgYJKoZIhvcNAQkBFgkxMUBxcS5jb20wggEiMA0GCSqG\r\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFfrP+LbCk9KhPH2gQ3V5lBWCpuM+yzBzn\r\nofL2RJiTMedP467Js4wzrP+qCkXs9STaOZCvYRFaCmfY9bG7PsrgqG90OHfVkttG\r\n5xIdEpd5XPl+GYl/48ridpE7mgw+KO0oRxoyUO1if9nRXvHNGmx0C3i9Rb6ahynv\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 15 of 18\n\ndEBAZVxeX20fDHMr0dvVe4TKst9g5W02o31zU54mx2f7m2Kgit+n+UsDA/uBRF/c\r\nGcWsvQFVlcguFmBDt58t98BO5nEmI3iDEfUi8FTf2HVSS0LAYC83IkwZyWpML9Jn\r\nuVg67KFKprNMmzBxDK0eDa9ZHObohj3iscM3IYXlCnicbOLYTCvRAgMBAAEwDQYJ\r\nKoZIhvcNAQELBQADggEBAAvkJC5Fi8+Kz8roBhzCY3ayPLMMMj49aHGU/JDLZwsh\r\nWSng5/eY7LrGkTqP0tKay/rrxQvyMeZftvB0DMCbxu0vndK/jTqruxS+ZXDkqyOb\r\nykU0Z6TqRZ/ltgcK9ii4R6PgUEynrJVZHtUHDtemulpHgPRjkFDA4emOui1kFdNT\r\ngnUr0vgh12KlVNAm64UVh9kkneCTFZtYeCAGNw5kFknv5OgsjcaueqCsm3a3dxFq\r\n7JqReIV1WDx+QEBXgM4itvQRY+d5pv5eOlz8sBzxFR7+Gh/Q9aJoPL+ZX7kouMEU\r\nbKwsEwNCrWZWQu41ghFi/8MdqBxb2Nb9H4gCupqKdiI=\r\n-----END CERTIFICATE-----\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 10 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nDomain names such as amnestyhq[.]org were\r\nacquired to use on compromised web servers.\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nServers (or virtual servers) were rented to\r\nserve WebKit exploits and used as C\u0026C\r\nservers for DazzleSpy.\r\nT1584.004\r\nCompromise\r\nInfrastructure: Server\r\nA legitimate website was compromised to add\r\nan iframe loading malicious JavaScript code.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nDazzleSpy is macOS malware developed to\r\nsteal information from its victims.\r\nT1587.003\r\nDevelop Capabilities:\r\nDigital Certificates\r\nDazzleSpy verifies the authenticity of its C\u0026C\r\nserver using an X.509 certificate.\r\nT1587.004\r\nDevelop Capabilities:\r\nExploits\r\nAn undocumented Safari exploit was used to\r\ncompromise the targets.\r\nT1608.004\r\nStage Capabilities:\r\nDrive-by Target\r\nThis operation compromised a website that is\r\nlikely to be visited by its targets, to distribute\r\nmalware.\r\nInitial Access T1189 Drive-by Compromise\r\nThe compromised website served the exploit\r\nto visitors using Safari on a Mac.\r\nExecution T1569 System Services\r\nThe exploit sends Mach messages to launchd\r\nto remove the quarantine flag and to kuncd to\r\nlaunch the malware.\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 16 of 18\n\nTactic ID Name Description\r\nPersistence T1543.001\r\nCreate or Modify\r\nSystem Process: Launch\r\nAgent\r\nDazzleSpy persists by installing a Launch\r\nAgent.\r\nPrivilege\r\nEscalation\r\nT1068\r\nExploitation for\r\nPrivilege Escalation\r\nAn LPE exploit for macOS is used to elevate\r\nprivileges to root.\r\nDefense\r\nEvasion\r\nT1620 Reflective Code Loading\r\nThe LPE exploit downloading the next stage is\r\nloaded and executed in memory only.\r\nCredential\r\nAccess\r\nT1555.001\r\nCredentials from\r\nPassword Stores:\r\nKeychain\r\nDazzleSpy can steal credentials from the\r\nmacOS keychain.\r\nDiscovery\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nDazzleSpy can be used to enumerate files in\r\nspecific folders.\r\nT1057 Process Discovery\r\nDazzleSpy can obtain the list of running\r\nprocesses.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nDazzleSpy can obtain the macOS version.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nDazzleSpy can obtain the IP address and Wi-Fi SSID.\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nDazzleSpy can obtain the current username\r\nfrom a compromised Mac.\r\nT1124 System Time Discovery\r\nDazzleSpy can obtain the system time on a\r\ncompromised Mac.\r\nCollection\r\nT1005 Data from Local System\r\nDazzleSpy can search for documents on the\r\ncompromised system.\r\nT1113 Screen Capture\r\nDazzleSpy has the ability to record screen\r\nactivity.\r\nCommand and\r\nControl\r\nT1071\r\nApplication Layer\r\nProtocol\r\nDazzleSpy uses a custom JSON-based\r\nprotocol for its C\u0026C communications.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nDazzleSpy uses base64 to encode parts of its\r\nC\u0026C communications.\r\nT1573 Encrypted Channel DazzleSpy uses TLS encryption.\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 17 of 18\n\nTactic ID Name Description\r\nT1571 Non-Standard Port DazzleSpy uses TCP port 5633.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nDazzleSpy exfiltrates data over its C\u0026C\r\ncommunications channel.\r\nSource: https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nhttps://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/"
	],
	"report_names": [
		"watering-hole-deploys-new-macos-malware-dazzlespy-asia"
	],
	"threat_actors": [],
	"ts_created_at": 1775439112,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ca93d68ce62f38bf565b5959a33289dacd084fa4.pdf",
		"text": "https://archive.orkl.eu/ca93d68ce62f38bf565b5959a33289dacd084fa4.txt",
		"img": "https://archive.orkl.eu/ca93d68ce62f38bf565b5959a33289dacd084fa4.jpg"
	}
}