Cybersecurity researchers have discovered a significant new macOS malware family, a modular backdoor dubbed CHILLYHELL. This threat is attributed to a hacking group known as UNC4487, which has been active since at least October 2022. According to threat intelligence from Google Mandiant, UNC4487 is suspected of being an espionage actor that has been observed compromising the websites of Ukrainian government entities. The group reportedly uses these compromised sites to redirect and socially engineer targets, tricking them into executing malware like Matanbuchus or CHILLYHELL. This sophisticated approach shows the group’s focus on targeted attacks and a high level of operational security.
CHILLYHELL, written in C++ for Intel architectures, was first discovered as a new sample uploaded to VirusTotal on May 2, 2025, by Jamf Threat Labs. Intriguingly, this particular sample was notarized by Apple back in 2021, and had been publicly hosted on Dropbox since then. Apple has since revoked the associated developer certificates. Once executed, the malware immediately profiles the compromised host and establishes persistent access through three different methods. It then initiates command-and-control (C2) communication with a hard-coded server, using either HTTP or DNS, to receive further instructions and payloads from its operators. This robust communication and persistence framework makes it particularly difficult to remove.
The malware’s persistence mechanisms are designed for redundancy. It can install itself as a LaunchAgent or a system LaunchDaemon. As a backup, it modifies the user’s shell profile (.zshrc, .bash_profile, or .profile) to inject a launch command. A notable tactic is its use of timestomping, which modifies the timestamps of created files to avoid raising suspicion. If it lacks direct system call permissions, it falls back to using shell commands to alter the timestamps. This level of detail in its evasion techniques is what makes it so dangerous. Researchers also noted that the malware supports a wide range of commands, including launching a reverse shell, downloading updates, fetching additional payloads, and even conducting brute-force attacks on user accounts using a password list from the C2 server.
Jamf Threat Labs researchers have highlighted the unusual nature of CHILLYHELL. They pointed out its flexibility, citing its multiple persistence methods, ability to communicate over different protocols, and its modular structure. The capabilities of timestomping and password cracking are also considered highly unusual for the current macOS threat landscape. The fact that the malware was notarized by Apple also serves as an important reminder that not all malicious code comes unsigned, and users shouldn’t rely solely on notarization as a guarantee of safety. This raises important questions about the effectiveness of Apple’s security measures and the cunning of threat actors.
These findings coincide with the discovery of a new multi-platform RAT named ZynorRAT. This malware, which targets both Windows and Linux systems, uses a Telegram bot called @lraterrorsbot to control infected hosts. The first known sample of ZynorRAT was submitted to VirusTotal on July 8, 2025, and it doesn’t share any overlaps with other known malware families. The Linux version, compiled with Go, has a wide range of functions, including file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution. The discovery of both CHILLYHELL and ZynorRAT demonstrates the continuous evolution of the threat landscape and the need for constant vigilance.
Reference:
