September 27, 2023

A cyber-espionage malware targetting Apple’s macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong which is undocumented previously dubbed DazzleSpy.

The attack chain involved compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to inject malicious inline frames.


The tampered code acted as a conduit to load a Mach-O file by leveraging a RCE bug in WebKit that was fixed by Apple CVE-2021-1789. The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code.

The success of the WebKit RCE subsequently triggers the execution of the intermediate Mach-O binary that, in turn, exploits a now-patched local privilege escalation vulnerability in the kernel component CVE-2021-30869 to run the next stage malware as a root user.

The features of the malware include as below.

  • Harvesting system information
  • Executing arbitrary shell commands
  • Dumping iCloud Keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4
  • Starting or terminating a remote screen session, and
  • Deleting itself from the machine

This campaign has similarities with one from 2020 where LightSpy iOS malware was distributed the same way, using iframe injection on websites for Hong Kong citizens leading to a WebKit exploit.


Indicators of Compromise (IoCs)



URLs of Safari exploit

DazzleSpy C&C server

Leave a Reply

%d bloggers like this: