"The malware, written in C++ and developed for Intel architectures, was originally reported by Mandiant in 2023. At the time, the Google-owned threat hunters linked it to a group it tracks as UNC4487 (UNC is how Google tracks uncategorized threat groups) that had breached a Ukrainian auto insurance website used by government officials for official travel. But despite being documented by the security shop, ChillyHell wasn't flagged as malicious."
""Despite not making it to VirusTotal until 2025, this sample . . . has remained notarized up until these findings," Jamf Threat Labs researchers Ferdous Saljooki and Maggie Zirnhelt said in a Wednesday report, adding that the malware's functionality "appears to be nearly identical" to the Mandiant-found version. In addition, the notarized sample has been hosted publicly on Dropbox since 2021, indicating that it has likely been infecting victims while remaining undetected over the last four years."
ChillyHell is a modular macOS backdoor written in C++ for Intel architectures that likely infected computers for years while evading detection. A sample matching a 2023-linked UNC4487 intrusion against a Ukrainian auto insurance website appeared on VirusTotal in May 2025. The sample was developer-signed, notarized by Apple in 2021, and publicly hosted on Dropbox since 2021, with notarization persisting until recent findings. Apple revoked the associated developer certificates. The malware uses three persistence mechanisms—user LaunchAgent, system LaunchDaemon when executed with elevated privileges, and a fallback option—suggesting targeted, modular deployment.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]