Subj : This macOS malware was laying dormant for years, but may have bee To : All From : TechnologyDaily Date : Thu Sep 11 2025 15:45:09 This macOS malware was laying dormant for years, but may have been silently infecting thousands of devices Date: Thu, 11 Sep 2025 14:31:00 +0000 Description: Even after Mandiant spotted it, the malware remained in the dark. FULL STORY ======================================================================ChillyHe ll is a modular macOS backdoor created in 2021 that passed Apples notarization and stayed undetected for years Mandiant spotted it in 2023, but the info wasnt shared publicly, so AV tools didnt catch on Jamf exposed it in 2025, revealing its still notarized and not flagged by antivirus engines For at least four years, a piece of modular Apple malware was being deployed on target devices, without being flagged by antivirus solutions . To make matters worse, for at least two years, (a part of) the cybersecurity community was aware of its existence. Earlier this week, security researchers Jamf published a new report, detailing ChillyHell, a modular backdoor that provides its operators with a reverse shell, the ability to update itself, and an option of fetching and executing additional payloads. First detection in 2023 While the backdoor in itself is not out of the ordinary, the fact that it remained undetected for a long time is. Apparently, the malware was created in 2021, when it was submitted to Apple. It passed notarization checks, meaning Apples automated systems didnt flag it as malicious. It managed to pass the checks because its payloads were split across modules, it was signed with a valid Apple Developer ID, and was designed as a harmless app. Furthermore, it had no standard behavioral red flags such as privilege escalation, or network scanning. Up until 2023, it operated undetected, with no antivirus detections across major platforms. However, in 2023, Mandiant (Googles cybersecurity arm) identified it in a threat intelligence briefing, and even attributed it to UNC4487, a threat actor that was seen targeting Ukrainian officials via an auto insurance website. But the briefing was shared privately and without technical details, leaving the broader security community in the dark about its existence. Apple did not revoke the notarization, and AV tools still didnt flag it. Fast forward to 2025, and now Jamf Threat Labs publicly disclosed the malware, gave it the name ChillyHell, and detailed its architecture, persistence, and evasion techniques. It also stressed that even at this point, Apples notarization remained valid, and some samples uploaded to VirusTotal are still not being flagged by antivirus. Via The Register You might also like Dangerous new MacOS malware is targeting Apple users everywhere - here's what you need to know Take a look at our guide to the best authenticator app We've rounded up the best password managers ====================================================================== Link to news story: https://www.techradar.com/pro/security/this-macos-malware-was-laying-dormant-f or-years-but-may-have-been-silently-infecting-thousands-of-devices --- Mystic BBS v1.12 A49 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .