CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Living-Off-the-Land (LOTL) abuse of native utilities expands to macOS as primary intrusion tactic in enterprise environments

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Threat actors are increasingly leveraging legitimate, native system tools across both Windows and macOS environments to conduct attacks, achieving lateral movement, privilege escalation, and persistence while evading detection. Analysis of over 700,000 high-severity incidents indicates that 84% now involve abuse of trusted utilities—practices known as Living off the Land (LOTL). This shift reduces reliance on malware and exploits, exploiting operational blind spots created by necessary administrative tools. Recent research from Cisco Talos highlights the expansion of LOTL techniques to macOS native features such as Remote Application Scripting (RAS), Spotlight metadata, and Apple Events, enabling covert execution, persistence, and lateral movement. More than 45% of organizations now use macOS in enterprise settings—often holding sensitive credentials, cloud access, and source code—making the platform a high-value target. Attackers abuse RAS to issue remote commands without triggering shell-based monitoring, embed malicious payloads in Finder comments stored as Spotlight metadata, and leverage protocols like SMB, Netcat, Git repositories, TFTP, and SNMP for covert data transfer and movement. The technique remains the dominant intrusion vector, progressing undetected until significant compromise occurs, particularly due to limited visibility into macOS-native behaviors and reliance on legitimate system processes.

Timeline

  1. 01.04.2026 13:58 2 articles · 22d ago

    LOTL abuse surpasses malware-based attacks in enterprise compromise scenarios

    Security analysis of 700,000 high-severity incidents reveals that 84% now involve Living off the Land (LOTL) techniques using legitimate system tools such as PowerShell, WMIC, and Certutil to facilitate lateral movement, privilege escalation, and persistence without triggering traditional detections. The trend reflects a strategic pivot by adversaries toward exploiting operational blind spots created by necessary administrative utilities, with up to 95% of access to risky tools being unnecessary. Recent research from Cisco Talos expands this trend to macOS environments, demonstrating that native features such as Remote Application Scripting (RAS), Spotlight metadata, and Apple Events are being repurposed for execution, persistence, and lateral movement. Over 45% of organizations now use macOS in enterprise settings, often holding sensitive credentials, cloud access, and source code, making the platform a high-value target. Attackers abuse RAS to execute remote commands via Apple's inter-process communication framework without triggering shell-based monitoring, embed malicious payloads in Finder comments stored as Spotlight metadata to evade static analysis, and leverage native protocols including SMB, Netcat, Git repositories, TFTP, and SNMP for covert data exchange and lateral movement. Security teams face visibility gaps in detecting these behaviors due to processes occurring through Apple Events, IPC, or GUI interactions outside traditional endpoint detection rules, necessitating process lineage analysis and stricter MDM controls for mitigation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cross-platform cyberattack campaigns exploiting macOS, Windows, Linux, and mobile devices escalate enterprise SOC operational gaps

Enterprise security operations centers (SOCs) face escalating operational gaps due to multi-platform cyberattack campaigns that exploit fragmented detection and response workflows across Windows endpoints, macOS devices, Linux infrastructure, and mobile platforms. Attackers leverage platform-specific behaviors to evade early triage, split investigations, and delay containment, increasing credential theft, persistence establishment, and lateral movement opportunities. SOC inefficiencies—such as delayed validations, fragmented evidence, and escalation bottlenecks—create measurable business exposure windows where threats advance before detection and response processes consolidate. Campaigns such as ClickFix illustrate how threat actors customize execution paths per operating system, using deceptive techniques (e.g., Google ad redirects to fake documentation pages) to deliver platform-specific payloads like AMOS Stealer and persistent backdoors.

Open in new tab

Malicious npm Package Targets macOS Users with RAT and Credential Theft

A malicious npm package named "@openclaw-ai/openclawai" masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from macOS systems. The package, uploaded on March 3, 2026, has been downloaded 178 times and remains available. It targets system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also installing a persistent RAT with remote access capabilities and a SOCKS5 proxy. The malware uses social engineering to harvest system passwords and employs sophisticated persistence and command-and-control (C2) infrastructure. The package triggers its malicious logic via a postinstall hook, re-installing itself globally and displaying a fake command-line interface to mimic an OpenClaw installation. It then retrieves an encrypted second-stage payload from a C2 server, which is decoded and executed to continue running in the background. The malware also prompts users to grant Full Disk Access (FDA) to Terminal to access protected data. The second-stage payload is a comprehensive information stealer and RAT framework capable of persistence, data collection, browser decryption, C2 communication, and live browser cloning. Collected data is exfiltrated through multiple channels, including the C2 server, Telegram Bot API, and GoFile.io. The malware also monitors clipboard content for specific patterns related to private keys and cryptocurrency addresses. The impact of this malware is significant, as it can compromise sensitive user data and provide attackers with persistent access to infected systems. The sophisticated nature of the malware, including its use of social engineering and encrypted payload delivery, makes it a serious threat to macOS users.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

The **GPUGate malware campaign** continues to evolve, now leveraging **Claude AI artifacts and Google Ads** to distribute **MacSync and AMOS infostealers** via **ClickFix attacks**. Over **15,600 users** have accessed malicious Claude-generated guides, which instruct victims to execute Terminal commands fetching malware payloads. This follows earlier waves abusing **ChatGPT/Grok chats, fake GitHub repositories, and malvertising** to deploy stealers targeting credentials, crypto wallets, and system data. The campaign, active since **April 2023**, has expanded from traditional phishing to **abusing AI ecosystems, supply-chain weaknesses, and trusted platforms** (e.g., Homebrew, LogMeIn, AI assistants). Russian-speaking actors operate **AMOS as a Malware-as-a-Service (MaaS)**, with stolen logs sold in underground markets to fuel fraud, ransomware, and account takeovers. The latest **Claude artifact abuse** underscores the shift toward **high-impact, scalable distribution channels**, exploiting weak platform vetting and user trust in AI-generated content. Organizations should monitor for **suspicious Terminal activity, C2 traffic to domains like `a2abotnet[.]com`, and unauthorized data egress** while educating users on **ClickFix-style lures** and unverified AI tool instructions.

Open in new tab

Shamos Infostealer Targeting Mac Devices via ClickFix Attacks

Since June 2025, the COOKIE SPIDER group’s Shamos infostealer and Atomic macOS Stealer (AMOS) variants have targeted Mac devices via evolving ClickFix social engineering campaigns, stealing data and credentials from browsers, Keychain, Apple Notes, and cryptocurrency wallets. Early campaigns relied on malvertising, fake GitHub repositories, and signed Swift applications hosted on legitimate platforms like Cloudflare Pages and Squarespace. AMOS has been delivered through disk images, obfuscated shell scripts, and in-memory payloads, expanding from Terminal-based ClickFix tactics to abuse trusted macOS applications. In March 2026, Apple introduced a Terminal security feature in macOS Tahoe 26.4 that blocks pasted command execution and warns users of risks, disrupting ClickFix attack chains. A new campaign observed in April 2026 by Jamf researchers now abuses the built-in Script Editor application to bypass these protections. The campaign uses fake Apple-themed disk cleanup guides to trick users into launching Script Editor via the applescript:// URL scheme, executing an obfuscated payload in system memory that delivers Atomic Stealer. The new Script Editor-based ClickFix variation enables theft of Keychain data, browser autofill information, cryptocurrency wallet extensions, and system details without requiring Terminal interaction. AMOS continues to expand its capabilities, now including a backdoor component for persistent access to compromised systems.

Open in new tab