CHILLYHELL macOS Backdoor and ZynorRAT RAT Pose Significant Threats to macOS, Windows, and Linux Systems

ByAdmin

Cybersecurity researchers have identified two new malware families, including a modular Apple macOS backdoor named CHILLYHELL and a Go-based Remote Access Trojan (RAT) called ZynorRAT, which can target both Windows and Linux systems. An analysis from Jamf Threat Labs indicates that CHILLYHELL is written in C++ and designed for Intel architectures. This malware is attributed to an uncategorised threat cluster known as UNC4487, which is believed to have been active since at least October 2022. Threat intelligence shared by Google Mandiant suggests that UNC4487 is a suspected espionage actor that has compromised the websites of Ukrainian government entities to redirect and socially engineer targets into executing Matanbuchus or CHILLYHELL malware.

Jamf reported the discovery of a new CHILLYHELL sample uploaded to the VirusTotal malware scanning platform on May 2, 2025. This artifact, which was notarised by Apple in 2021, has reportedly been publicly hosted on Dropbox since that time. Following the discovery, Apple revoked the developer certificates associated with the malware. Once executed, CHILLYHELL extensively profiles the compromised host and establishes persistence through three different methods. It then initiates command-and-control (C2) communication with a hard-coded server (93.88.75[.]252 or 148.72.172[.]53) over HTTP or DNS, entering a command loop to receive further instructions from its operators.

To maintain persistence, CHILLYHELL installs itself as a LaunchAgent or a system LaunchDaemon. As a backup, it modifies the user’s shell profile (.zshrc, .bash_profile, or .profile) to inject a launch command into the configuration file. A notable tactic employed by the malware is timestomping, which modifies the timestamps of created artifacts to avoid detection. If it lacks sufficient permission to update timestamps via a direct system call, it resorts to using shell commands such as touch -c -a -t and touch -c -m -t, each with a formatted string representing a past date as an argument.

CHILLYHELL supports a wide array of commands that enable it to launch a reverse shell to the C2 IP address, download new versions of the malware, fetch additional payloads, and run a module named ModuleSUBF to enumerate user accounts from “/etc/passwd.” It can also conduct brute-force attacks using a pre-defined password list retrieved from the C2 server. According to Jamf, the combination of multiple persistence mechanisms, the ability to communicate over various protocols, and its modular structure makes CHILLYHELL extraordinarily flexible. Its capabilities, such as timestomping and password cracking, render it an unusual find in the current macOS threat landscape. Notably, the notarisation of CHILLYHELL serves as a crucial reminder that not all malicious code is easily identifiable. 

Categories: Malware Families, Espionage Threats, macOS Security 

Tags: Malware, CHILLYHELL, ZynorRAT, macOS, Remote Access Trojan, Espionage, Persistence, Command-and-Control, Timestomping, Brute-Force 

Leave a Reply

Your email address will not be published. Required fields are marked *