CHILLYHELL
ChillyHell is a modular macOS backdoor targeting Apple systems, particularly Intel-based Macs. It has been active since at least 2021 and was first publicly documented by Mandiant in 2023. The malware is written in C++ and has been linked to UNC4487, a threat cluster that Mandiant assessed as a suspected espionage actor and that was previously observed compromising Ukrainian government-related websites, including a Ukrainian auto insurance website used by government officials, to socially engineer victims into executing malware such as Matanbuchus or ChillyHell.
Once executed, ChillyHell profiles the compromised host, establishes persistence, and initiates command-and-control communications with hard-coded servers over HTTP or DNS. Reported C2 IPs include 93.88.75[.]252 and 148.72.172[.]53. Persistence mechanisms include LaunchAgent installation, LaunchDaemon installation, and shell profile injection or modification of .zshrc, .bash_profile, and .profile. The malware then enters a command loop and supports multiple post-compromise actions, including providing remote shell or command-line access, downloading updated versions of itself, fetching and dropping additional payloads, extracting local usernames, and conducting password brute-force activity. A referenced module, ModuleSUBF, enumerates user accounts from /etc/passwd and performs brute-force attacks using a password list retrieved from C2.
ChillyHell uses several evasion and stealth techniques. It timestomps created artifacts to make files appear older, including fallback use of shell touch commands if direct timestamp modification fails. It also changes or shifts its communication methods with control servers to avoid detection. Researchers reported that it can open a decoy Google.com page in the default browser to reduce user suspicion. The malware evaded detection for years, including a sample uploaded to VirusTotal on May 2, 2025 that reportedly had zero detections at the time referenced.
A notable aspect of ChillyHell is that malicious samples were developer-signed and passed Apple notarization in 2021, with one malicious file publicly hosted on Dropbox since 2021. Jamf reported renewed activity in 2025 and assessed the malware was still evolving. Apple later revoked the developer certificates associated with the malware after notification. The full scope of deployment is unknown, but reporting describes ChillyHell as used in targeted attacks and as likely the work of a cybercrime group, while other reporting ties it to UNC4487.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A dormant macOS threat is showing signs of new life, according to a report from cybersecurity firm Jamf. The company has been closely monitoring a macOS backdoor named ChillyHell, which has been active since 2021.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueUNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware.
Execution
2 techniquesconnecting to a remote server to give the attacker a command line to control the computer
UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware.
Persistence
3 techniquesTo set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon.
To set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon.
Privilege Escalation
3 techniquesTo set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon.
To set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon.
Stealth
2 techniquesto stay hidden from the user, the malware opens a decoy Google.com page in a browser, which can minimise suspicion.
A noteworthy tactic adopted by the malware is its use of timestomping to modify the timestamps of created artifacts to avoid raising red flags.
Credential Access
1 techniquerun a module named ModuleSUBF to enumerate user accounts from "/etc/passwd" and conduct brute-force attacks using a pre-defined password list retrieved from the C2 server.
Discovery
2 techniquesCommand and Control
4 techniquesOnce executed, the malware extensively profiles the compromised host and establishes persistence using three different methods, following which it initializes command-and-control (C2) communication with a hard-coded server ... over HTTP or DNS
CHILLYHELL supports a wide range of commands that allow it to launch a reverse shell to the C2 IP address
CHILLYHELL supports a wide range of commands that allow it to ... download a new version of the malware, fetch additional payloads
it could be used for remote access... connecting to a remote server to give the attacker a command line to control the computer
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Modular macOS backdoor written in C++ for Intel architectures (per excerpt).
A modular backdoor targeting macOS, providing attackers with persistent access and modular capabilities.
A modular backdoor targeting macOS systems, providing persistent unauthorized access and modular functionality for attackers.
A modular macOS backdoor that can bypass security checks, remain hidden, establish persistence via LaunchAgent, LaunchDaemon, and shell profile injection, provide remote command-line access, drop additional payloads, and crack user passwords. It also used timestomping, altered C2 communications, opened a decoy Google.com page to reduce suspicion, and was able to pass Apple notarization.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.