Kandji Threat Intelligence

Adload is a family of adware that infects macOS systems by masquerading as legitimate software requesting user permissions. Once installed, Adload directs users to unwanted ads, changes browser settings, and can significantly slow the performance of your computer. In addition to this, Adload puts your privacy at risk by tracking your online activity and installing other harmful programs without user permissions. Adload is sometimes dropped by macOS malware Shlayer.

AppleJeus is a sophisticated macOS trojan attributed to North Korea's state-sponsored APT Lazarus Group. This malware has been used for years to infiltrate cryptocurrency exchanges and financial service companies by masquerading as legitimate applications. AppleJeus enables unauthorized access, facilitates data exfiltration, and can lead to significant financial losses.

Atomic Stealer (AMOS) is a sophisticated piece of malware that targets Apple users by masquerading as legitimate applications. Once installed, AMOS can exfiltrate extensive data, including keychain passwords, user documents, system information, browser data, credit card information, and cryptocurrency wallets. There is a strong association between Atomic Stealer and Russian-speaking cybercriminal communities.

Backdoor Activator is a macOS malware campaign that spreads through infected copies of popular applications and productivity tools, often via torrent downloads. Disguised as software 'Activators' to crack legitimate applications, this malware family compromises system security and may facilitate unauthorized remote access.

Banshee is a sophisticated macOS infostealer that poses a significant threat to Apple users. It is designed to exfiltrate a wide range of sensitive information, including system data, login credentials, and, cryptocurrency wallets.

Bundlore is an extremely prevalent adware that targets macOS systems by bundling unwanted applications with legitimate software installers. It often masquerades as popular software updaters and installers, deceiving users into installing additional unwanted programs. Once installed, Bundlore injects advertisements into web browsers, redirects user searches, and collects sensitive browsing data. Bundlore is sometimes dropped by macOS malware Shlayer.

Careto (also known as The Mask) is an advanced cyber espionage malware family attributed to a sophisticated threat actor, likely state-sponsored. It targets macOS, Windows, Linux, and mobile platforms with the primary intent of covertly exfiltrating sensitive user data, credentials, encryption keys, and network configurations through multi-stage payloads and encrypted communications.

Cthulhu is a macOS stealer that masquerades as legitimate software to deceive users into installing it. Once executed, it collects sensitive information, including system data, browser credentials, cryptocurrency wallets, and game account details. Cthulhu has also been known to target enterprise environments to conduct cyber espionage campaigns.

Cuckoo is an info stealer that typically masquerades as macOS applications such as Homebrew and Google Chrome. Discovered by Kandji in 2024, it has been known to steal passwords, as well as recording audio and video from an infected system.

EvilQuest, also known as ThiefQuest, is a ransomware variant that targets macOS systems. EvilQuest also includes some information stealing and data exfiltration features. It is actively being enhanced with new features to avoid detection.

PasivRobber is a sophisticated macOS surveillance suite discovered in March 2025. It targets applications popular among Chinese users, such as WeChat and QQ, and can exfiltrate sensitive data from various sources, including web browsers, email clients, and system files. The malware employs deceptive naming schemes and a modular architecture, indicating a deep understanding of macOS internals.

Poseidon (RodrigoStealer) is an information stealer targeting macOS users, masquerading as legitimate applications such as the Arc browser. It is designed to exfiltrate sensitive data, including system information, browser credentials, cryptocurrency wallets, and documents. It has been associated with Russian-speaking cybercriminal communities and is actively distributed through phishing campaigns and compromised websites.

ProcessHub stealer is a relatively new finding attributed to China, and is designed to collect user files including bash history, zsh history, GitHub configuration, SSH information, and the Keychain. It completes these actions in a multi-stage process including the downloading of a script from its command and control server, the collection of user files, and the uploading these files.

Shlayer is a Trojan downloader that primarily targets macOS systems, known for distributing various types of adware, including Bundlore. It is distributed through fake Flash Player updates and deceptive websites, tricking users into installing unwanted software. Once executed, Shlayer connects to command-and-control servers to download additional payloads.

CVE-2021-30808

CVE-2021-30808 is a security vulnerability in Apple's operating systems that could allow a malicious application to modify protected parts of the file system. The issue was addressed by Apple through improved checks in macOS Monterey 12.0.1, iOS 15, iPadOS 15, watchOS 8, and tvOS 15.

CVE-2023-23533

CVE-2023-23533 is a logic issue within macOS that could allow an application to modify protected parts of the file system. According to Kandji's analysis, this vulnerability allowed an attacker to swap the installer package after the system verified its code signature. The system would then install the supplied package instead of the original, enabling the attacker to bypass System Integrity Protection (SIP).

CVE-2023-40424

CVE-2023-40424 is a security vulnerability in Apple's operating systems that could allow an application to access user-sensitive data. The issue was addressed by Apple through improved checks in macOS Sonoma 14.0, iOS 17, iPadOS 17, and watchOS 10. According to Kandji's analysis, this vulnerability involves the ability of a root-level user to create a new user with a custom Transparency, Consent, and Control (TCC) database in macOS. This custom TCC database can then be used to access other user's private data, effectively bypassing the intended privacy protections.

CVE-2023-42860

CVE-2023-42860 is a permissions issue within Apple's PackageKit framework that could allow an application to modify protected parts of the file system. The vulnerability was addressed by Apple through additional restrictions in macOS Monterey 12.7.1, macOS Ventura 13.6.1, and macOS Sonoma 14.1. According to Kandji's analysis, this vulnerability allowed an attacker to swap the installer package after the system verified its code signature. The system would then install the supplied package instead of the original, enabling the attacker to bypass System Integrity Protection (SIP).

CVE-2024-27821

CVE-2024-27821 is a path handling issue within Apple's Shortcuts app. A flaw in the validation process could allow a shortcut to output sensitive user data without consent. Apple addressed this vulnerability by implementing improved validation mechanisms in macOS Sonoma 14.5, iOS 17.5, iPadOS 17.5, and watchOS 10.5.

CVE-2024-27848

CVE-2024-27848 is a security vulnerability in Apple's operating systems that could allow a malicious app to gain root privileges. The issue was addressed by Apple through improved permissions checking in macOS Sonoma 14.5, iOS 17.5, and iPadOS 17.5.

CVE-2024-27883

CVE-2024-27883 is a permissions issue within Apple's PackageKit framework that could allow an application to modify protected parts of the file system.

CVE-2024-40783

CVE-2024-40783 is a security vulnerability in Apple's macOS that could allow a malicious application to bypass Privacy preferences. The issue was addressed by Apple through improved restriction of data container access in macOS Sonoma 14.6, macOS Ventura 13.6.8, and macOS Monterey 12.7.6.

CVE-2024-40795

CVE-2024-40795 is a security vulnerability in Apple's Family Sharing component that could allow an application to read sensitive location information. The issue was addressed by Apple through improved data protection in macOS Sonoma 14.6, iOS 17.6, iPadOS 17.6, watchOS 10.6, and tvOS 17.6. The vulnerability was discovered by Csaba Fitzl (@theevilbit) of Kandji.

CVE-2024-40855

CVE-2024-40855 is a security vulnerability in Apple's DiskArbitration framework that could allow a sandboxed app to access sensitive user data. The issue was addressed by Apple through improved checks in macOS Sequoia 15, macOS Sonoma 14.7.1, and macOS Ventura 13.7.1.

CVE-2024-44175

CVE-2024-44175 is a vulnerability in Apple's macOS that could allow an application to access sensitive user data. The issue was addressed by Apple through improved validation of symlinks in macOS Sonoma 14.7.1 and macOS Sequoia 15. According to Kandji's analysis, this vulnerability involves a Time-of-Check to Time-of-Use (TOCTOU) race condition in the `diskarbitrationd` daemon. By exploiting this flaw, an attacker could escape the application sandbox and escalate privileges to root from a low-privileged user.

CVE-2024-44196

CVE-2024-44196 is a permissions issue within Apple's PackageKit framework that could allow an application to modify protected parts of the file system.

CVE-2024-44253

CVE-2024-44253 is a permissions issue within Apple's PackageKit framework that could allow an application to modify protected parts of the file system.

CVE-2024-4558

CVE-2024-4558 is a use-after-free vulnerability in the ANGLE component of Google Chrome. Processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2024-54469

CVE-2024-54469 is a security vulnerability in Apple's FileProvider component that could allow a local user to leak sensitive user information. The issue was addressed by Apple through improved checks in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15, iOS 18, iPadOS 18, and visionOS 2.

CVE-2024-54477

CVE-2024-54477 allows an application to access sensitive user data. Apple mitigated the vulnerability through stricter checks in recent updates. Reported by Mickey Jin (@patch1t) and Csaba Fitzl (@theevilbit) of Kandji.

CVE-2024-54534

CVE-2024-54534 is an out-of-bounds write vulnerability in WebKit, Apple's browser engine. Processing maliciously crafted web content may lead to memory corruption. Apple addressed this vulnerability by implementing improved memory handling in macOS Sequoia 15.2, iOS 18.2, iPadOS 18.2, Safari 18.2, watchOS 11.2, tvOS 18.2, and visionOS 2.2.

CVE-2025-24162

CVE-2025-24162 is a vulnerability in Apple's WebKit engine that could lead to an unexpected process crash when processing maliciously crafted web content. The issue was addressed by Apple through improved state management in the affected systems.

CVE-2025-24167

CVE-2025-24167 is a security vulnerability in Apple's Safari browser and operating systems that could allow a download's origin to be incorrectly associated. The issue was addressed by Apple through improved state management in Safari 18.4, iOS 18.4, iPadOS 18.4, and macOS Sequoia 15.4.

CVE-2025-24201

CVE-2025-24201 is an out-of-bounds write vulnerability in WebKit, Apple's browser engine. Maliciously crafted web content could exploit this issue to break out of the Web Content sandbox, potentially leading to arbitrary code execution. Apple addressed this vulnerability by implementing improved checks to prevent unauthorized actions in the affected systems. According to Kandji's analysis, this vulnerability exemplifies the challenges posed by shared codebases across different platforms. The widespread use of WebKit means that a single vulnerability can have far-reaching implications beyond just Apple's ecosystem.

CVE-2025-24236

CVE-2025-24236 is a security vulnerability in Apple's macOS that could allow an application to access sensitive user data. The issue was addressed by Apple through additional sandbox restrictions in macOS Sequoia 15.4 and macOS Sonoma 14.7.5. The vulnerability was discovered by Csaba Fitzl (@theevilbit) and Nolan Astrein of Kandji.

CVE-2025-30427

CVE-2025-30427 is a use-after-free vulnerability in WebKit, Apple's browser engine. Processing maliciously crafted web content may lead to an unexpected Safari crash. Apple addressed this vulnerability by implementing improved memory management in Safari 18.4, macOS Sequoia 15.4, iOS 18.4, iPadOS 18.4, iPadOS 17.7.6, tvOS 18.4, and visionOS 2.4.