Find notable cyber news and cases, enriched with sources, timelines, and signals.

CDrivers macOS malware chain with LaunchAgent persistence and credential theft

Malware Activity
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

A macOS malware chain centered on CDrivers now combines staged scripts, a LaunchAgent persistence mechanism, and a Chrome-style password window to steal credentials and keep long-term access on compromised systems. The loader also supports arm64 and Intel targets, expanding its reach across Apple hardware. By blending fake permission prompts with background execution and exfiltration, the malware reduces user visibility while increasing the chance of sustained compromise. The result is a stealthier credential-theft operation that can repeatedly harvest data and retain access.

Related Happenings

MacOS XPC cached signature trust privilege escalation privilege-escalation flaw

Vulnerability
H score23 First: 25.06.2026 14:00 Last: 25.06.2026 14:00 Sources 1

About this happening: **macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...

SHub Reaper macOS infostealer variant

Malware Activity
H score23 First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
H score30 First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

DeepLoad credential-stealing malware activity with WMI persistence

Malware Activity
H score30 First: 31.03.2026 00:25 Last: 31.03.2026 00:25 Sources 1

About this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...

GhostLoader staged npm install payload activity

Malware Activity
H score30 First: 24.03.2026 14:00 Last: 24.03.2026 14:00 Sources 1

About this happening: **GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...

Timeline

  1. 25.11.2025 15:45 2 articles · 7mo ago

    FlexibleFerret macOS chain uses CDrivers backdoor, LaunchAgent persistence, and Chrome-style credential theft

    Initial Disclosure

    Jamf Threat Labs described a macOS malware chain affecting compromised Macs that uses staged scripts, a second-stage shell script, and a persistent Go-based backdoor named CDrivers to maintain access and steal credentials. The loader fetches different payloads for arm64 or Intel systems, launches the next-stage component in the background, writes a LaunchAgent to run at login, opens a decoy application that imitates Chrome permission prompts, and displays a Chrome-style password window to harvest credentials. The malware routes stolen passwords to Dropbox, assembles the Dropbox host from string fragments, uses the Dropbox upload API for exfiltration, queries api.ipify.org for the victim's public IP address, and falls back to a system-information command after errors; Jamf attributed the activity to FlexibleFerret operators.

    Show sources