Dormant macOS Backdoor ChillyHell Resurfaces

Summary

Jamf Threat Labs discovered a new ChillyHell sample uploaded to VirusTotal on 2 May. The sample was notarised by Apple in 2021 and publicly hosted on Dropbox since 2021, and it matches the variant Mandiant linked to attacks on Ukrainian officials in 2022. Disguised as an executable applet (applet.app), ChillyHell operates as a modular backdoor that grants remote access, can drop payloads, exfiltrate data and brute-force local account passwords. Apple revoked the developer certificates after Jamf notified them.

Key Points

ChillyHell resurfaced in a notarised sample uploaded to VirusTotal (2 May) and hosted on Dropbox since 2021.
Modular backdoor: remote access, payload delivery, data exfiltration and account enumeration.
Unusual local password‑cracking capability — it harvests usernames then retrieves a brute‑force tool from C2 to attack accounts.
Three persistence mechanisms: a user LaunchAgent, a system LaunchDaemon when elevated, and shell‑profile injection as a fallback.
Evasion includes timestamp manipulation to hide creation/modification times of artefacts.
Apple revoked the notarisation after disclosure; Jamf published IoCs to help detection and hunting.

Why should I read this?

Short and blunt: if you manage Macs or work in endpoint security, read this now. ChillyHell proves attackers can slip past notarisation, embed uncommon tricks like timestamp tampering, and even brute‑force local passwords — not your average mac malware. Jamf’s IoCs give you something actionable to hunt with, so it’s worth a quick scan and a couple of checks on your fleet.

Context and Relevance

macOS is an increasingly attractive target and this resurgence underlines that notarisation isn’t a guarantee of safety. The combination of modular design, multiple persistence paths and on‑host password cracking raises the threat level for enterprises running macOS. The report is timely for defenders building detection and response playbooks and reinforces the need for least privilege, endpoint monitoring and strict controls on software installation.