New ‘Cuckoo’ Persistent macOS Spyware Targeting Intel and Arm Macs

New ‘Cuckoo’ Persistent macOS Spyware Targeting Intel and Arm Macs

Cybersecurity researchers have discovered a new information stealer targeting Apple macOS systems that’s designed to set up persistence on the infected hosts and act as a spyware.

The disk image file downloaded from the websites is responsible for spawning a bash shell to gather host information and ensuring that the compromised machine is not located in Armenia, Belarus, Kazakhstan, Russia, Ukraine. The malicious binary is executed only if the locale check is successful.

It also establishes persistence by means of a LaunchAgent, a technique previously adopted by different malware families like RustBucket, XLoader, JaskaGO, and a macOS backdoor that shares overlaps with ZuRu.

Cuckoo, like the MacStealer macOS stealer malware, also leverages osascript to display a fake password prompt to trick users into entering their system passwords for privilege escalation.

“This malware queries for specific files associated with specific applications, in an attempt to gather as much information as possible from the system,” researchers Adam Kohler and Christopher Lopez said.


The disclosure comes nearly a month after the Apple device management company also exposed another stealer malware codenamed CloudChat that masquerades as a privacy-oriented messaging app and is capable of compromising macOS users whose IP addresses do not geolocate to China.

It also follows the discovery of a new variant of the notorious AdLoad malware written in Go called Rload (aka Lador) that’s engineered to evade the Apple XProtect malware signature list and is compiled solely for Intel x86_64 architecture.

“The binaries function as initial droppers for the next stage payload,” SentinelOne security researcher Phil Stokes said in a report last week, adding the specific distribution methods remain presently obscure.

That having said, these droppers have been observed typically embedded in cracked or trojanized apps distributed by malicious websites.