Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

macOS RATs, trojans and cryptojacking: what changed in 2018?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: macOS in 2018 saw a sharp rise in RAT-based malware, trojanised apps, cryptojacking and phishing-led wallet theft, with Empyre used in several variants and approved or trusted channels abused to bypass built-in protections, according to SentinelOne. The pattern shows that platform trust, not just exploit sophistication, is the weak point.

NHIMG editorial — based on content published by SentinelOne: macOS malware trends in 2018 and the rise of RAT-based attacks

Questions worth separating out

Q: What breaks when macOS users trust signed or approved software by default?

A: Default trust breaks when attackers use signed installers, app store distribution, or user-approved tools to gain persistence and remote control.

Q: Why do macOS malware campaigns often become an identity and access problem?

A: Because many campaigns abuse session authority, user approval, or privileged execution to reach their objective.

Q: What do security teams get wrong about cryptojacking on endpoints?

A: They often treat cryptojacking as a nuisance rather than a sign of broader trust abuse.

Practitioner guidance

  • Inventory trusted macOS execution paths Map the installers, app store sources, LaunchAgents, LaunchDaemons and Automator workflows that can create persistence or remote control on managed Macs.
  • Monitor for post-install behaviour changes Alert on signed or user-approved software that suddenly opens outbound command channels, takes screenshots, writes to persistence locations, or spawns shells.
  • Tighten user approval and elevation controls Reduce the number of workflows where a user can bless elevated execution for a tool claimed to solve a problem.

What's in the full article

SentinelOne's full analysis covers the malware families, persistence mechanisms and campaign details this post intentionally leaves at a higher level.

  • Family-by-family examples of macOS RATs, including how each one establishes persistence and command and control.
  • Campaign descriptions for AppleJeus, WindShift and other 2018 cases, including infection paths and payload behaviour.
  • Hands-on defensive guidance for detecting Automator-based trojans, LaunchAgent abuse and reverse-shell activity.
  • Context on how cryptomining, spyware and phishing campaigns converged on the macOS platform during the year.

👉 Read SentinelOne's full review of macOS malware trends in 2018 →

macOS RATs, trojans and cryptojacking: what changed in 2018?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Platform trust is the core weakness in macOS malware campaigns. The 2018 cases show that attackers do not need to beat every control if they can inherit trust from signatures, approved stores, or user action. That shifts the security problem from simple malware detection to governance of execution trust, provenance, and privilege boundaries. For practitioners, the lesson is that trust decisions must be continuously verified, not assumed.

A question worth separating out:

Q: How should organisations respond when malware gains persistent macOS access?

A: Contain the endpoint, revoke any related user sessions or tokens, and review whether the malware used LaunchAgents, LaunchDaemons, or other persistent launch paths. Then identify what trusted execution decision allowed the payload to run. Containment should cover both the device and any identity or access artefacts exposed during the compromise.

👉 Read our full editorial: macOS malware in 2018 exposed RAT and supply chain risks



   
ReplyQuote
Share: