Welcome to the Kandji Threat Intelligence Report, our quarterly summary of emerging threats in the macOS ecosystem and how Kandji is responding in real time. In each edition, we break down key threat discoveries and the protections we’ve deployed to keep customer devices secure.
Endpoint Detection & Response
Kandji EDR is built to detect threats before they go mainstream. By combining behavioral detections with insights from our own vulnerability research, we’re able to protect customers from exploitation—even before public disclosures or patches become available. Our detection engineers monitor macOS-specific tactics closely, deploying proactive safeguards to catch both known and emerging threats.
Exploiting New macOS Vulns
Detection: Kandji Principal Security Researcher Csaba Fitzl has 41 vulnerabilities pending with Apple; some have already been accepted and formally noted.
Response: Kandji EDR has you covered with proprietary protections from these exploitations.
Atomic Stealer (AMOS) Strikes Again
Detection: Since our first write-up a year ago, we’ve been constantly fighting the evolving threat AMOS (Atomic Stealer).
Response: This quarter, our advanced techniques picked up 100+ new artifacts, the majority of which had low detection rates in VirusTotal.
PasivRobber Emerges
Detection: We pulled on a thread that unraveled into PasivRobber, a massive suite designed to quietly collect data from macOS browsers, email clients, and even apps like WeChat.
Response: Despite the malware’s use of deceptive file names and version-specific evasion tactics, our detection engineers quickly developed coverage tailored to its unique behavior. This keeps customer devices protected from day one.
Be Wary Of The Password Prompt
Detection: Our behavioral detections flagged an uptick in the use of osascript
to trigger password prompts—a tactic often used by macOS malware to trick users into entering credentials under the appearance of a legitimate system request.
Response: Admins and analysts should investigate these behavioral detections closely and ensure nothing is amiss. This technique relies on user trust, so even small anomalies may signal a broader compromise.
Vulnerability Management
Kandji Vulnerability Management helps teams stay ahead of risk by identifying gaps before attackers can exploit them. In addition to third-party applications, we now surface vulnerabilities in macOS itself—giving IT and security teams a complete picture of exposure across their fleets. Because new exploits often emerge right after a patch is released, timely visibility and remediation are critical.
Our Research Strengthens Kandji, Too
Detection: Kandji researchers, working closely with Principal macOS Software Engineer Nolan Astrein, discovered a macOS vulnerability that could allow apps to access sensitive user data.
Response: While we rolled out detections, Nolan hardened our Swift-native Agent. This finding helped protect all devices running Kandji—another way we’re building security right into the platform.
CVE-2024-30165 – AWS VPN Targeted
Detection: Researchers ensured we had detection coverage for CVE-2024-30165, despite the NVD record still awaiting analysis by NIST. This Amazon AWS Client VPN allows for arbitrary commands with elevated privileges.
Response: Vulnerability Management has you covered and proactive, while NVD analysis is still in progress.
WebKit Vulnerability Goes Beyond Safari
Detection: Shwena Kak and Candace Jensen published a finding on how a nasty WebKit vulnerability could impact web browsers beyond the macOS ecosystem. Approximately 75% of the global market uses Chromium-based browsers, so this expanded coverage was essential for our customers.
Response: Kandji detects all impacted apps, not just the ones formally disclosed by vendors.
What's Coming Up
Kandji’s Security Research team is staying active beyond the keyboard. Principal Security Researcher Csaba Fitzl will be presenting three talks this quarter at major macOS and infosec events:
-
“Apple Disk-O Party” – BSidesBUD, May 21
-
“Finding Vulnerabilities in Apple Packages at Scale” – SecurityFest, June 4
-
“Finding Vulnerabilities in Apple Packages at Scale” – MacDevOpsYVR, June 13
Our team is committed to staying ahead of the macOS threat curve. We’ll be back next quarter with more insights, discoveries, and protection updates to keep customer devices secure.
Glossary
Atomic Stealer (AMOS): A sophisticated piece of malware that targets Apple users by masquerading as legitimate applications. Once installed, AMOS can exfiltrate sensitive data including keychain passwords, user documents, system information, browser data, credit card information, and cryptocurrency wallets.
Behavioral Detection: A cybersecurity methodology that identifies threats by monitoring unusual behavior patterns on devices, rather than relying solely on known malware signatures.
osascript:
A macOS command-line tool that executes AppleScript, commonly leveraged by attackers to display fake system prompts to deceive users into providing sensitive credentials.
WebKit: An open-source web browser engine used by Safari and other browsers, frequently impacted by attackers due to its widespread usage across various platforms.
Zero-Day Vulnerability: A software flaw unknown to the vendor, which has no official fix available. Zero-days are often exploited by attackers before patches are released.