WAVESHAPER functioned as the first backdoor, establishing distant entry and enabling further payload supply. HYPERCALL operated as a downloader, retrieving secondary parts reminiscent of HIDDENCALL, which offered additional command execution capabilities. This staged deployment allowed the menace actor to increase management over the compromised macOS system in phases moderately than dropping a single giant payload.
DEEPBREATH, a Swift-based infostealer, centered on harvesting delicate information from the host. In accordance with the researchers, it manipulated Apple’s Transparency, Consent, and Management (TCC) framework to entry protected sources with out prompting the consumer. That enabled the gathering of browser information, keychain materials, and messaging content material. CHROMEPUSH, in the meantime, focused browser environments, together with session cookies and authentication tokens.
The researchers additionally noticed abuse of macOS security mechanisms, together with functionalities on Apple’s XProtect system. As a substitute of disabling protections instantly, the malware leveraged trusted system parts and anticipated behaviors to cut back detection visibility.
