Redazione RHC : 15 September 2025 07:39
Researchers have reported a new surge in activity for ChillyHell, a modular backdoor for macOS that was thought to be dormant for years, but which appears to have infected computers undetected for years. A sample of the malware was discovered in May 2025 on VirusTotal, although traces of its activity date back at least to 2021.
ChillyHell is written in C++ and targets Intel architectures. It was first studied by members of the Mandiant team in 2023, when they linked the backdoor to the UNC4487 group. The team hacked a Ukrainian car insurance website used by government employees to book travel. Despite Mandiant’s publication, the sample itself was not flagged as malicious at the time, allowing it to continue spreading undetected by antivirus software.
Most alarmingly, the discovered copy was found to be signed by the developer and was notarized by Apple in 2021. Jamf Threat Labs researchers Ferdous Saljuki and Maggie Zirnheltnoted that the functionality of the version almost completely matches the previously described sample. At the same time, the file has been freely available in the Dropbox public folder for four years and could infect systems while remaining in the trusted category.
It is unknown how widespread ChillyHell was. According to Jaron Bradley, head of Jamf Threat Labs, it is “impossible to say” how many systems were affected. Based on the backdoor’s architecture, analysts tend to believe it was created by a group of cybercriminals and used in more targeted attacks rather than en masse. Apple has already revoked the certificates of developers associated with ChillyHell.
The backdoor has three mechanisms for system persistence. If the program is launched with user privileges, it registers itself as LaunchAgent; with elevated privileges, it registers itself as LaunchDaemon. Additionally, a backup method is used: modifying the user shell configuration files (.zshrc, .bash_profile, or .profile), which incorporate the autorun command, which triggers ChillyHell to be activated with each new terminal session.
To remain invisible, it uses a rare macOS tactic called timestomping, in which malicious files are assigned timestamps that correspond to legitimate objects to avoid being noticed. ChillyHell also switches between command-and-control protocols, making detection much more difficult.
The modular architecture allows attackers to flexibly expand functionality after deployment. The backdoor can download new versions of se itself, install additional components, perform brute-force attacks, save local usernames for future hacking attempts, and initiate credential theft. This combination makes it a convenient platform for further attacks and long-term presence on the system.
The researchers emphasize that the combination of persistence mechanisms, the variety of communication protocols, and the modular design make ChillyHell an extremely flexible tool. They also note that it has been subjected to Apple’s authentication process, demonstrating that malware is not always digitally signed.
Redazione