In 2025, cybersecurity researchers uncovered a deeply concerning threat targeting macOS systems called ChillyHell—a modular backdoor malware that had managed to fly under the radar for years by cleverly abusing macOS security mechanisms and Apple’s own notarization process.
What is ChillyHell?
ChillyHell is a modular backdoor written in C++ designed for Intel-based macOS devices. It was first notarized by Apple in 2021, thus bypassing macOS’s Gatekeeper protections and avoiding detection by many antivirus solutions. The malware lived in the wild, even publicly hosted on Dropbox since 2021, and remained operational until its discovery in 2025. This malware is attributed to a threat actor group known as UNC4487, suspected of espionage activities, particularly targeting Ukrainian government-associated entities.
Infection and Persistence
Once executed, ChillyHell performs comprehensive host profiling: it enumerates active user accounts, running processes, environment variables, and privileges. It then establishes persistence through one of three methods, depending on its privileges:
- Installing as a LaunchAgent in the user context (
~/Library/LaunchAgents/com.apple.qtop.plist) - Installing as a LaunchDaemon with elevated privileges (
/Library/LaunchDaemons/com.apple.qtop.plist) - Modifying the user’s shell profile (
.zshrc,.bash_profile, or.profile) to run at terminal startup
The malware daemonizes itself and even opens a benign-looking website (Google) likely as a distraction.
Advanced Evasion Techniques
ChillyHell employs timestomping to alter the creation and modification timestamps of its files and artifacts to avoid suspicion during forensic investigation. If direct system calls are not permitted, it falls back to shell commands that set timestamps back to a date in the past.
Communication with its Command and Control (C2) servers is highly flexible. The malware contains hardcoded IP addresses that it contacts over either HTTP or DNS protocols, dynamically switching transport methods to evade network detection.
Modular Command Structure
ChillyHell receives commands from its C2 in a loop, executing tasks via different internal modules, such as:
- Reverse shell establishment for direct control
- Self-updating by downloading and replacing its own binary
- Payload downloading and execution
- User account enumeration and password brute-forcing using a downloaded tool and custom wordlists
A particularly unique feature is its password brute-force module targeting local user accounts possibly via Kerberos, which is rare and sophisticated for macOS malware.
Implications and Warning
ChillyHell’s presence in the macOS ecosystem is a stark reminder that even notarized software can be malicious. Its persistence, flexibility, and stealth techniques make it one of the more dangerous macOS threats to date. Users and organizations are strongly advised to avoid downloading untrusted software and to keep security solutions up to date.
Conclusion
ChillyHell demonstrates how even sophisticated macOS defenses like notarization can be bypassed by well-crafted malware. Its modular architecture, stealth via timestomping, multi-method persistence, and powerful remote control capabilities mark it as a serious threat actor tool in the macOS malware landscape.
Organizations should update their endpoint detection platforms to look for these IoCs and educate users about the risks of unauthorized software installs.
