MacMa
MacMa is a macOS backdoor/implant also referred to in the provided content as DazzleSpy and OSX.CDDS. The content describes it as a cyber-espionage-focused macOS malware family with multiple versions (including v2.0 to v2.1) and links it to Daggerfly through overlapping command-and-control infrastructure and shared libraries with other unique tools. It has also been discussed by Google as “Macma” and by Objective-See as “OSX.CDDS.”
Capabilities directly mentioned in the content include collecting the username from the compromised machine; recording audio; capturing the user’s screen and open windows using Apple Core Graphics APIs such as CGWindowListCreateImageFromArray; intercepting keystrokes using Core Graphics Event Taps and saving them to text files, including from Spotlight, Finder, Safari, Mail, and Messages; exfiltrating data from a supplied path over its C2 channel; storing collected files locally before exfiltration; and creating or modifying file timestamps for anti-forensics. The malware uses TLS encryption to initialize a custom protocol for command-and-control communications and also uses a custom JSON-based C2 protocol. One source in the content states MacMa has used TCP port 5633 for C2 communication.
For persistence on macOS, MacMa installs a LaunchAgent plist named com.apple.softwareupdate.plist in a LaunchAgents folder with RunAtLoad set to true. Some variants include LimitLoadToSessionType set to Aqua so the malware runs only when a GUI user is logged in. The content states that upon user login, MacMa executes from /var/root/.local/softwareupdate with root privileges. Likely artifacts mentioned in the content include /var/root/Library/LaunchAgents/com.apple.softwareupdate.plist and /var/root/.local/, or alternatively ~/Library/LaunchAgents/com.apple.softwareupdate.plist and ~/.local/. MacMa has also been delivered using ad hoc Apple Developer code-signing certificates.
The content associates MacMa/DazzleSpy activity with watering-hole attacks against pro-democracy websites in China. In the DazzleSpy reporting cited in the content, the infection chain used CVE-2021-1789 in WebKit for initial code execution and CVE-2021-30869 for privilege escalation to root on macOS. The resulting payload was described as a full-featured backdoor capable of arbitrary command execution, remote screen viewing, file download, keychain theft, and synthetic mouse clicks. The content further notes that DazzleSpy and CDDS/Macma used the same two vulnerabilities and the same tactic of compromising pro-democracy websites in China, while also stating they are different malware families with different code, capabilities, and installation layouts. Attribution in the content is not definitive, but it states DazzleSpy was likely created by the same operators as CDDS/Macma and assesses Chinese government involvement as likely based on targeting patterns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
This led to the in-memory execution of native Mac code, which exploits CVE-2021-30869 to gain root privileges. With this high level of privileges, the malware drops its payload onto the machine. | DazzleSpy, a piece of malware that attacks macOS, was discovered last fall by researchers at ESET... The new malware got a foothold via CVE-2021-1789... exploits CVE-2021-30869 to gain root privileges... That payload is a very full-featured backdoor, providing the attacker the capability to run any arbitrary command on the infected Mac, start a remote screen viewing session, download files from the Mac, steal the keychain, send synthetic mouse clicks, etc.
DazzleSpy, a piece of malware that attacks macOS, was discovered last fall by researchers at ESET... The new malware got a foothold via CVE-2021-1789... exploits CVE-2021-30869 to gain root privileges... That payload is a very full-featured backdoor, providing the attacker the capability to run any arbitrary command on the infected Mac, start a remote screen viewing session, download files from the Mac, steal the keychain, send synthetic mouse clicks, etc. | The new malware got a foothold via CVE-2021-1789, exploited via a JavaScript file named mac.js loaded by the malicious site. This led to the in-memory execution of native Mac code, which exploits CVE-2021-30869 to gain root privileges.
keychain: Dumps the keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4. The public KeySteal implementation is used.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Google labelled the backdoor “Macma”… Objective-See (under the name “OSX.CDDS”)… we take a deeper dive into macOS.Macma…
Daggerfly is linked to the use and potentially development of MacMa through overlapping command and control infrastructure and shared libraries with other unique tools.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
It infected machines using a combination of two vulnerabilities, one in WebKit (the framework that powers Safari) and one in macOS (a privilege escalation vulnerability). | DazzleSpy, according to the researchers at ESET, was being spread via watering hole attacks via pro-democracy websites in China.
Execution
2 techniques
Execution
Persistence
2 techniques
Persistence
Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.
The items you’re most likely to see are: /var/root/Library/LaunchAgents/com.apple.softwareupdate.plist ... However, it’s also possible the malware could get dropped into the user folder, in which case you’ll see these paths instead: ~/Library/LaunchAgents/com.apple.softwareupdate.plist
Privilege Escalation
3 techniques
Privilege Escalation
This led to the in-memory execution of native Mac code, which exploits CVE-2021-30869 to gain root privileges.
Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.
The items you’re most likely to see are: /var/root/Library/LaunchAgents/com.apple.softwareupdate.plist ... However, it’s also possible the malware could get dropped into the user folder, in which case you’ll see these paths instead: ~/Library/LaunchAgents/com.apple.softwareupdate.plist
Stealth
4 techniques
Stealth
Green Lambert can create a Launch Agent with the RunAtLoad key-value pair set to true, ensuring the com.apple.GrowlHelper.plist file runs every time a user logs in. Komplex creates a persistent launch agent called ... com.apple.updates.plist. MacMa installs a com.apple.softwareupdate.plist file in the /LaunchAgents folder.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
Defense Impairment
1 technique
Defense Impairment
The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.
Credential Access
4 techniques
Credential Access
That payload is a very full-featured backdoor, providing the attacker the capability to... send synthetic mouse clicks...
Discovery
5 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Collection
7 techniques
Collection
That payload is a very full-featured backdoor, providing the attacker the capability to... download files from the Mac...
That payload is a very full-featured backdoor, providing the attacker the capability to... send synthetic mouse clicks...
Command and Control
3 techniques
Command and Control
Exfiltration
1 technique
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
25 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
42 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
MACMA is a backdoor malware for Apple macOS, distributed via watering hole attacks by Evasive Panda. Details on its specific capabilities are not provided in this content.
A macOS implant referenced as Evasive Panda’s macOS counterpart to MgBot; mentioned in the context of tailoring payload delivery based on OS version.
... MacMa ... (v2.0→v2.1) ...
MacMa (v2.0→v2.1)
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.