ChillyHell macOS backdoor resurfaces with new sample
Malware Activity
Summary
Hide ▲
Show ▼
The ChillyHell backdoor resurfaced on macOS with a newly discovered sample, restoring a stealthy remote-access threat that can drop payloads, brute-force passwords, and evade detection. The sample was uploaded to VirusTotal on May 2 and matches the earlier version tied to an intrusion against officials in Ukraine. It was also publicly hosted on Dropbox since 2021, and Apple later revoked the associated notarization. The return of a notarized macOS backdoor raises exposure for environments that rely on signed software trust.
Related Happenings
OpenClaw fake installer GitHub campaign promoted by Bing AI
Campaign
First: 06.03.2026 00:37
Last: 06.03.2026 00:37
Sources 1
About this happening:
A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...
OpenClaw fake installer GitHub campaign promoted by Bing AI
CampaignAbout this happening: A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...
Latest development: 09.03.2026 20:31
A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.
Dell RecoverPoint for Virtual Machines hardcoded-credential vulnerability (CVE-2026-22769)
Vulnerability
First: 17.02.2026 22:15
Last: 17.02.2026 22:15
Sources 1
About this happening:
**Dell RecoverPoint for Virtual Machines** versions prior to **6.0.3.1 HF1** were exposed to a **maximum-severity hardcoded-credential flaw** tracked as **CVE-2026-22769**. The is...
Dell RecoverPoint for Virtual Machines hardcoded-credential vulnerability (CVE-2026-22769)
VulnerabilityAbout this happening: **Dell RecoverPoint for Virtual Machines** versions prior to **6.0.3.1 HF1** were exposed to a **maximum-severity hardcoded-credential flaw** tracked as **CVE-2026-22769**. The is...
Latest development: 19.02.2026 17:30
CISA added CVE-2026-22769 in Dell RecoverPoint for Virtual Machines to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure their networks by the end of Saturday, February 21, under Binding Operational Directive 22-01; CISA warned that the flaw is actively exploited and advised agencies to apply vendor mitigations or stop using the product if mitigations are unavailable.
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
MacSync macOS information stealer variant delivered via signed Swift app
Malware Activity
First: 24.12.2025 18:23
Last: 24.12.2025 18:23
Sources 1
About this happening:
A new **MacSync** malware variant is being delivered through a **digitally signed, notarized Swift app** disguised as a messaging installer, raising the risk of **Gatekeeper bypas...
MacSync macOS information stealer variant delivered via signed Swift app
Malware ActivityAbout this happening: A new **MacSync** malware variant is being delivered through a **digitally signed, notarized Swift app** disguised as a messaging installer, raising the risk of **Gatekeeper bypas...
MacSync Stealer signed Swift dropper and in-memory payload analysis
Technical Analysis
First: 23.12.2025 18:45
Last: 23.12.2025 18:45
Sources 1
About this happening:
**Jamf Threat Labs** identified a reworked **MacSync Stealer** sample on **macOS** that uses a **code-signed, notarized Swift application** disguised as a messaging app installer...
MacSync Stealer signed Swift dropper and in-memory payload analysis
Technical AnalysisAbout this happening: **Jamf Threat Labs** identified a reworked **MacSync Stealer** sample on **macOS** that uses a **code-signed, notarized Swift application** disguised as a messaging app installer...
Timeline
-
10.09.2025 14:59 1 articles · 8mo ago
ChillyHell sample is uploaded to VirusTotal
Initial DisclosureA new ChillyHell sample is uploaded to VirusTotal on May 2, 2025; it matches the earlier malware version tied to an intrusion against officials in Ukraine and gives operators remote access, payload-dropping capability, and password-brute-forcing functionality.
Show sources
- Dormant macOS Backdoor ChillyHell Resurfaces — www.darkreading.com — 10.09.2025 14:59
-
10.09.2025 14:59 2 articles · 8mo ago
Apple revokes notarization for ChillyHell developer certificates
Legal Policy Action UpdateApple revokes notarization for the developer certificates associated with ChillyHell after notification about the sample on Dropbox and VirusTotal, while the published analysis documents LaunchAgent and LaunchDaemon persistence, shell-profile injection, C2 communication, timestamp tampering, password cracking, and indicators of compromise for affected macOS hosts.
Show sources
- Dormant macOS Backdoor ChillyHell Resurfaces — www.darkreading.com — 10.09.2025 14:59
- Dormant macOS Backdoor ChillyHell Resurfaces — www.darkreading.com — 10.09.2025 14:59