Device Management
Endpoint Detection & Response
Vulnerability Management
Kai
Liftoff
Prism
Migration Agent
Auto Apps
Passport
Compliance
Assignment Maps
Managed OS
Integrations
Mac
iPhone and iPad
Apple TV
Vision Pro
Financial Services
Technology
Artificial Intelligence
Marketing Agencies
Healthcare & Biotech
Startup
Growth
Enterprise
Resources Hub
Kandji Blog
Customer Stories
Mac Admins Community
Security Details
MDM Comparison Guide
Customer Support
Product Updates
Kandji Status
Customer Login
Register a Deal
Become a Partner
Partner Portal
About Kandji
News & Press
Careers
Contact
Why Kandji?
Threat Research Knowledge Base Threats PasivRobber
PasivRobber
Description
PasivRobber is a sophisticated macOS surveillance suite discovered in March 2025. It targets applications popular among Chinese users, such as WeChat and QQ, and can exfiltrate sensitive data from various sources, including web browsers, email clients, and system files. The malware employs deceptive naming schemes and a modular architecture, indicating a deep understanding of macOS internals.
Variant Names
N/A
Alternative Names
- Meiya
Country of origin
- China
Symptoms
You might observe the following artifacts associated with this threat:
- Presence of unfamiliar binaries in
/Library/protect/wsus/bin/, such asgoed,wsus, andcenter. - Installation of a LaunchDaemon labeled
com.apple.goed, mimicking legitimate system services. - Unexpected prompts for system credentials or unusual network activity, including FTP connections.
- Altered or re-signed versions of applications like WeChat and QQ.
Technical Breakdown
PasivRobber is distributed via a signed installer package (pkg) that contains a pre-install script to remove existing persistence mechanisms and a post-install script that verifies the macOS version before deploying the main payload. The payload includes architecture-specific binaries placed in /Library/protect/wsus/bin/.
The malware comprises several components:
goed: Launched at startup via a LaunchDaemon, it initiates the infection chain by executingwsus.wsus: Handles remote actions, including updates via FTP, uninstallation through RPC messages, and configuration management using encrypted.inifiles. It also captures screenshots and extracts data from instant messaging applications.center: Acts as an on-device agent, collecting system information and monitoring user activity. It uses theapsebinary to inject malicious code into running applications like WeChat, QQ, and WeCom, re-signing them post-injection to maintain integrity.
PasivRobber employs several obfuscation techniques:
Mimicking legitimate system processes by naming binaries similarly (e.g.,
goedvs. Apple'sgeod).Using
.gzextensions for plugin dynamic libraries instead of.dylibto conceal their true nature.Hiding the installer from standard software lists and using deceptive Developer IDs.
The suite includes 28 plugins (named zero_*.gz) that target various data sources, parsing data from plists, SQLite databases, and more. Each plugin implements a _GetPluginName() function for identification and stores collected data in SQLite tables.
Next Steps
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.
Learn more about it
PasivRobber: Chinese Spyware or Security Tool?
PasivRobber is a sophisticated macOS surveillance suite discovered in March 2025. It targets applications popular among Chinese users, such as WeChat and QQ, and can exfiltrate sensitive data from various sources, including web browsers, email clients, and system files. The malware employs deceptive naming schemes and a modular architecture, indicating a deep understanding of macOS internals.
Read moreRelated
Atomic Stealer (AMOS) is a sophisticated piece of malware that targets Apple users by masquerading as legitimate applications. Once installed, AMOS can exfiltrate extensive data, including keychain passwords, user documents, system information, browser data, credit card information, and cryptocurrency wallets. There is a strong association between Atomic Stealer and Russian-speaking cybercriminal communities.
Banshee is a sophisticated macOS infostealer that poses a significant threat to Apple users. It is designed to exfiltrate a wide range of sensitive information, including system data, login credentials, and, cryptocurrency wallets.
Cuckoo is an info stealer that typically masquerades as macOS applications such as Homebrew and Google Chrome. Discovered by Kandji in 2024, it has been known to steal passwords, as well as recording audio and video from an infected system.
Manage and secure your Apple devices at scale.
