CyberWire Daily When macOS gets frostbite. [Research Saturday]
Dec 6, 2025
Jaron Bradley, Director of Jamf Threat Labs and macOS security expert, dives into the chilling world of ChillyHell, a newly discovered backdoor for macOS. He discusses how this modular malware, disguised as legitimate software, employs robust host profiling and clever stealth techniques, including timestomping to evade detection. With impressive capabilities like self-updating and brute-force attacks, ChillyHell represents a serious threat as it gains traction in enterprise environments. Jaron emphasizes the need for heightened security awareness among Mac users.
AI Snips
Chapters
Transcript
Episode notes
Modular macOS Backdoor
- ChillyHell is a C++ backdoor built to give persistent, stealthy access on macOS systems.
- Its strings and design make it obvious to reverse engineers but still effective operationally.
Signed And Notarized Malware Slips In
- The backdoor was developer-signed and notarized by Apple, which reduced suspicion.
- Notarization can be revoked, but signed/notarized malware can slip through and persist unnoticed.
Blends With System Artefacts
- ChillyHell profiles hosts and names files to blend with legitimate macOS services.
- It applies timestamps to persistence items to reduce forensic visibility.