May 6th, 2024 | Updated on November 4th, 2025
A novel information-stealing malware tailored for Apple macOS systems has been unearthed by cybersecurity experts, exhibiting features of both persistent establishment and spyware functionality.
Named Cuckoo by Kandji, this malware takes the form of a universal Mach-O binary, compatible with both Intel and Arm-based Macs.
The precise method of dissemination remains murky, although there are indications suggesting that the binary finds its way onto platforms such as dumpmedia.com, tunesolo.com, fonedog.com, tunesfun.com, and tunefab.com, purportedly offering software—both free and paid—aimed at extracting music from streaming services and converting it to MP3 format.
Upon download, the disk image file initiates a bash shell to collect host data, subjecting the compromised machine to a locale check excluding certain regions like Armenia, Belarus, Kazakhstan, Russia, and Ukraine. Only upon successful validation does the malicious binary execute.
Persistence is ensured through the establishment of a LaunchAgent, a technique previously employed by various malware strains including RustBucket, XLoader, JaskaGO, and a macOS backdoor sharing traits with ZuRu.
Similar to the MacStealer macOS malware, Cuckoo employs osascript to present a counterfeit password prompt, deceiving users into disclosing their system passwords for privilege escalation.
Researchers Adam Kohler and Christopher Lopez elucidate that this malware actively seeks out specific files linked to particular applications, aiming to gather comprehensive system data.
It executes a sequence of commands to extract hardware information, monitor active processes, identify installed apps, capture screenshots, and harvest data from iCloud Keychain, Apple Notes, web browsers, cryptocurrency wallets, and various applications such as Discord, FileZilla, Steam, and Telegram.
The researchers further note that each malicious application encompasses an additional application bundle within its resource directory.
While most bundles are signed with a valid Developer ID from Yian Technology Shenzhen Co., Ltd (VRBJ4VRP), those hosted on fonedog.com bear a different developer ID from FoneDog Technology Limited (CUAU2GTG98).
This revelation arrives nearly a month after an Apple device management company disclosed another malware, CloudChat, disguised as a privacy-focused messaging app, capable of compromising macOS users outside China.
CloudChat operates by intercepting cryptocurrency private keys copied to the clipboard and data associated with wallet extensions in Google Chrome.
In addition, a fresh variant of the pervasive AdLoad malware, penned in Go and named Rload (or Lador), has surfaced, designed to bypass the Apple XProtect malware signature list and specifically compiled for Intel x86_64 architecture.
Despite ongoing research, the precise dissemination methods for these payloads remain elusive, though they are frequently concealed within cracked or trojanized applications circulated via malicious websites.
