{
	"id": "608e6546-18aa-49a7-8ae2-88623a5b8c0f",
	"created_at": "2026-04-06T00:11:25.394819Z",
	"updated_at": "2026-04-10T03:22:05.789051Z",
	"deleted_at": null,
	"sha1_hash": "de2cc8639a14a4880bb96afd3d96dfcd108b5d76",
	"title": "“Perverse” malware infecting hundreds of Macs remained undetected for years",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 361769,
	"plain_text": "“Perverse” malware infecting hundreds of Macs remained\r\nundetected for years\r\nBy Dan Goodin\r\nPublished: 2017-07-24 · Archived: 2026-04-05 14:40:09 UTC\r\nSkip to content\r\nSurveillance malware dubbed Fruitfly was easy to spot but flew under the radar anyway.\r\nA mysterious piece of malware that gives attackers surreptitious control over webcams, keyboards, and other\r\nsensitive resources has been infecting Macs for at least five years. The infections—known to number nearly 400\r\nand possibly much higher—remained undetected until recently and may have been active for almost a decade.\r\nPatrick Wardle, a researcher with security firm Synack, said the malware is a variant of a malicious program that\r\ncame to light in January after circulating for at least two years. Dubbed Fruitfly by some, both malware samples\r\ncapture screenshots, keystrokes, webcam images, and information about each infected Mac. Both generations of\r\nFruitfly also collect information about devices connected to the same network. After researchers from security\r\nhttps://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/\r\nPage 1 of 5\n\nfirm Malwarebytes discovered the earlier Fruitfly variant infecting four Macs, Apple updated macOS to\r\nautomatically detect the malware.\r\nThe variant found by Wardle, by contrast, has infected a much larger number of Macs while remaining undetected\r\nby both macOS and commercial antivirus products. After analyzing the new variant, Wardle was able to decrypt\r\nseveral backup domains that were hardcoded into the malware. To his surprise, the domains remained available.\r\nWithin two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly\r\nfrom homes located in the United States. Although Wardle did nothing more than observe the IP address and user\r\nnames of Macs that connected to his server, he had the ability to use the malware to spy on the users who were\r\nunwittingly infected.\r\n“This shows that there are people who are sick in the head who are attacking everyday Mac users for insidious\r\ngoals,” Wardle told Ars. Although the method of infection remains unknown, Wardle suspects it involves tricking\r\nusers into clicking on malicious links, as opposed to exploiting vulnerabilities in apps or in macOS. “A lot of Mac\r\nusers are overconfident in the security of their Mac. [The discovery] just goes to reiterate to everyday users that\r\nthere are perhaps people out there trying to hack their computers.”\r\nWhy?\r\nBesides the means of infection being unknown, the exact purpose of the malware is also unclear. Wardle said he\r\nfound no evidence the malware can be used to install ransomware or collect banking credentials. That largely\r\nremoves the possibility that Fruitfly developers were motivated by financial profit. At the same time, the\r\nconcentration of home users largely rules out chances the malware was designed by state-sponsored hackers to spy\r\non targets.\r\n“I don’t know if it’s just some bored person or someone with perverse goals,” Wardle said. “If some bored\r\nteenager is spying on me, that would still be very emotionally traumatic. If it’s turning on the webcam, that’s for\r\nperverse reasons.”\r\nWardle said the primary command-and-control server used by the malware had been shut down earlier but that\r\nmany of the affected Macs had never been disinfected. As a result, the infected Macs reported to the backup server\r\nas soon as it became available. The researcher speculated that Fruitfly was therefore abandoned by its creators. As\r\ndemonstrated by the backup servers, the Macs remained susceptible to spying by anyone who took the time to\r\nregister one of the hardcoded domains.\r\nWardle has since reported all of his findings to law enforcement officials. He said all domains known to be\r\nassociated with the malware are no longer available, a move that essentially neutralizes the threat. Apple\r\nrepresentatives didn’t respond to an e-mail seeking comment for this post.\r\nWhile the backup server Wardle set up allowed him to discover the Macs that remained infected by the Fruitfly\r\nvariant, it also allowed him to quickly analyze how the malware worked. Typically, researchers must undertake a\r\npainstaking process known as reverse engineering to document the inner workings. By infecting a lab computer\r\nand watching how it interacted with the backup server, the researcher was able to more easily understand how\r\nvarious commands worked. Wardle will speak about the process on Wednesday at the Black Hat Security\r\nhttps://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/\r\nPage 2 of 5\n\nConference in Las Vegas, in a briefing titled Offensive Malware Analysis: Dissecting OSX/Fruitfly via a custom\r\nC\u0026C Server.\r\nOne of the interesting aspects of the latest Fruitfly variant is that it flew under the radar for so long. The malware\r\nrelies on functions that were retired long ago and uses a crude method to remain installed once a Mac is infected.\r\nCompared to newer, more sophisticated malware, Fruitfly is much easier to detect. And yet, for whatever reason,\r\nno one caught it until recently. Two pieces of Mac software developed by Wardle would have given victims a\r\nstrong indication they were infected. One, called BlockBlock, would have warned of the suspicious launch agent\r\nused by the malware. A second tool, called Oversight, provides notification anytime an app attempts to access a\r\nMac’s webcam or microphone. A recent submission to the VirusTotal malware detection service shows that 19 of\r\nthe top 56 AV- and endpoint-protection products now detect the malware.\r\nDan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer\r\nespionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking,\r\nand following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and\r\nhere on Bluesky. Contact him on Signal at DanArs.82.\r\nhttps://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/\r\nPage 3 of 5\n\n128 Comments\r\nhttps://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/\r\nPage 4 of 5\n\n1.\r\n2.\r\n3.\r\n4.\r\n5.\r\nSource: https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/\r\nhttps://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/"
	],
	"report_names": [
		"perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years"
	],
	"threat_actors": [],
	"ts_created_at": 1775434285,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de2cc8639a14a4880bb96afd3d96dfcd108b5d76.pdf",
		"text": "https://archive.orkl.eu/de2cc8639a14a4880bb96afd3d96dfcd108b5d76.txt",
		"img": "https://archive.orkl.eu/de2cc8639a14a4880bb96afd3d96dfcd108b5d76.jpg"
	}
}