Janicab
Janicab is malware observed on macOS that was signed with a valid Apple Developer ID to bypass security restrictions. Reported capabilities include capturing screenshots and recording audio from the compromised host, with the collected data sent to a command-and-control server. A new Janicab variant was identified in 2020 targeting legal entities in the Middle East. High-confidence behaviors directly mentioned in the source include screenshot capture, audio capture, C2 exfiltration of collected data, and abuse of legitimate code signing for defense evasion.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
we identified a new Janicab variant used in targeting legal entities in the Middle East during 2020
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniquePersistence
1 techniquePrivilege Escalation
1 techniqueDefense Impairment
1 techniqueThe content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.
Collection
2 techniques"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cross-platform (macOS/Windows) malware family; new variant observed in DeathStalker intrusions with a VBS-based final-stage implant and embedded/obfuscated tooling in the dropper.
Janicab used a valid Apple Developer ID to bypass macOS security restrictions.
Backdoor that captures audio and exfiltrates it to command-and-control infrastructure.
Backdoor that captures screenshots and exfiltrates them to C2.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.