CDrivers macOS malware chain with LaunchAgent persistence and credential theft
Malware Activity
Summary
Hide ▲
Show ▼
A macOS malware chain centered on CDrivers now combines staged scripts, a LaunchAgent persistence mechanism, and a Chrome-style password window to steal credentials and keep long-term access on compromised systems. The loader also supports arm64 and Intel targets, expanding its reach across Apple hardware. By blending fake permission prompts with background execution and exfiltration, the malware reduces user visibility while increasing the chance of sustained compromise. The result is a stealthier credential-theft operation that can repeatedly harvest data and retain access.
Related Happenings
SHub Reaper macOS infostealer variant
Malware Activity
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
First: 09.04.2026 14:20
Last: 09.04.2026 14:20
Sources 1
About this happening:
A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware ActivityAbout this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
GhostLoader staged npm install payload activity
Malware Activity
First: 24.03.2026 14:00
Last: 24.03.2026 14:00
Sources 1
About this happening:
**GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...
GhostLoader staged npm install payload activity
Malware ActivityAbout this happening: **GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...
MacSync macOS infostealer with dynamic AppleScript and in-memory execution
Malware Activity
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...
MacSync macOS infostealer with dynamic AppleScript and in-memory execution
Malware ActivityAbout this happening: The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...
Latest development: 10.05.2026 20:52
A MacSync macOS infostealer campaign is abusing Google Ads and legitimate Claude.ai shared chats to lure users searching for "Claude mac download" into following Terminal instructions that download and run malware on their Mac. One observed variant uses polymorphic delivery, checks for Russian or CIS-region keyboard input sources and sends a cis_blocked ping before exiting, then profiles the victim with external IP address, hostname, OS version, and keyboard locale before using osascript to run a second-stage payload; another variant skips profiling and exfiltrates browser credentials, cookies, and macOS Keychain contents.
AppleChris, MemFun, and Getpass malware activity with persistent C2 and credential theft
Malware Activity
First: 13.03.2026 19:33
Last: 13.03.2026 19:33
Sources 1
About this happening:
The intrusion used **AppleChris**, **MemFun**, and **Getpass** to keep access on compromised **Windows** endpoints and steal credentials. The backdoors supported **persistence**,...
AppleChris, MemFun, and Getpass malware activity with persistent C2 and credential theft
Malware ActivityAbout this happening: The intrusion used **AppleChris**, **MemFun**, and **Getpass** to keep access on compromised **Windows** endpoints and steal credentials. The backdoors supported **persistence**,...
Timeline
-
25.11.2025 15:45 2 articles · 6mo ago
FlexibleFerret macOS chain uses CDrivers backdoor, LaunchAgent persistence, and Chrome-style credential theft
Initial DisclosureJamf Threat Labs described a macOS malware chain affecting compromised Macs that uses staged scripts, a second-stage shell script, and a persistent Go-based backdoor named CDrivers to maintain access and steal credentials. The loader fetches different payloads for arm64 or Intel systems, launches the next-stage component in the background, writes a LaunchAgent to run at login, opens a decoy application that imitates Chrome permission prompts, and displays a Chrome-style password window to harvest credentials. The malware routes stolen passwords to Dropbox, assembles the Dropbox host from string fragments, uses the Dropbox upload API for exfiltration, queries api.ipify.org for the victim's public IP address, and falls back to a system-information command after errors; Jamf attributed the activity to FlexibleFerret operators.
Show sources
- New FlexibleFerret Malware Chain Targets macOS With Go Backdoor — www.infosecurity-magazine.com — 25.11.2025 15:45
- New FlexibleFerret Malware Chain Targets macOS With Go Backdoor — www.infosecurity-magazine.com — 25.11.2025 15:45