Security researchers have uncovered a new and sophisticated macOS malware, named “AppleProcessHub”, that poses a serious risk to both individual users and organizations. The malware features advanced data theft capabilities and a stealthy command-and-control (C2) system.
Discovery and Initial Analysis
The threat was first reported on May 15, 2025, by MalwareHunterTeam, who found a suspicious file named libsystd.dylib. Although it appeared to be a standard macOS dynamic library, further investigation revealed it was a disguised executable targeting the x86_64 architecture.
Researchers found that the malware was built to steal a wide range of data, including bash and zsh history, SSH credentials, GitHub configurations, and most notably, access to the macOS Keychain.
Impact and Targets
Beyond personal data, the malware can expose critical enterprise details such as IP addresses, hostnames, and internal file paths. This opens the door for attackers to escalate access within a network.
Two-Stage Attack Structure
AppleProcessHub operates in two stages. It begins with a Mach-O binary that connects to the C2 server at appleprocesshub[.]com. The server delivers a second-stage bash script and receives stolen data.
The malware uses encrypted strings, indirect calls, and obfuscation to avoid detection. It is written in Objective-C and uses Apple’s Foundation framework and Grand Central Dispatch, showing the attackers’ deep understanding of macOS internals.
Encrypted C2 Infrastructure
The malware’s communication methods are particularly advanced. It hides its C2 server details using AES-128 encryption in ECB mode. The decrypted strings combine to form the C2 URL:
- “umm8pChcGqXHmKhPKLz7AQ==” →
https:// - “WnD1BYMsv1hA87nbaMRsyA==” →
www. - “fg94nzBafSnFOdSgX+4Lz0Mqgem4m+H1ji0fIoVRuDI=” →
appleprocesshub[.]com/v1/resource
These strings are decrypted using a hardcoded key: CMKD378491212qwe.
Decryption Sample Code
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64
ascii_key = "CMKD378491212qwe"
b64_ciphertext = [
"umm8pChcGqXHmKhPKLz7AQ==",
"WnD1BYMsv1hA87nbaMRsyA==",
"fg94nzBafSnFOdSgX+4Lz0Mqgem4m+H1ji0fIoVRuDI="
]
for enc in b64_ciphertext:
key = ascii_key.encode("utf-8")
ciphertext = base64.b64decode(enc)
cipher = AES.new(key, AES.MODE_ECB)
decrypted = unpad(cipher.decrypt(ciphertext), AES.block_size)
print(decrypted.decode("utf-8"))
Device Tracking and Payload Delivery
The malware identifies each infected machine using its serial number, obtained via IOKit API calls. This unique ID is included in the malware’s GET request to the C2 server, allowing attackers to monitor and control individual devices.
After contact with the C2 server, the malware downloads and runs a second-stage bash script named fSidEOWW.sh using macOS’s NSTask with /bin/sh as the execution shell.
Data Exfiltration
The script performs detailed system checks, collects sensitive files, compresses them, and uploads the data to the attacker-controlled server. This architecture allows threat actors to update their payloads without modifying the main binary, offering flexibility and stealth.
Conclusion
The AppleProcessHub malware highlights growing threats targeting macOS platforms with professional-grade sophistication. Security teams are urged to monitor systems for unusual activity, inspect unknown .dylib files, and review network traffic for suspicious C2 connections.
