{"id":103937,"date":"2025-06-29T03:31:55","date_gmt":"2025-06-29T10:31:55","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=103937"},"modified":"2025-06-29T03:32:13","modified_gmt":"2025-06-29T10:32:13","slug":"pyinstaller-macos-malware-vector","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/","title":{"rendered":"Python Applications, Active &#038; Hidden Malware Infection Vector on macOS"},"content":{"rendered":"<h2><strong>Executive Summary<\/strong><\/h2>\n<p>Since the release of macOS 12.3 (Monterey), Python has not been included with Apple\u2019s operating system. This programming language, popular among developers and researchers for its versatility, was deemed unnecessary by Apple. Notably, even before its removal, macOS only included the deprecated Python 2.7 rather than the latest versions.<\/p>\n<p>Users can only manually install Python using package managers like Homebrew and create virtual environments with tools like <span style=\"color: #64a071;\">pyenv<\/span> to manage multiple concurrent Python versions.<\/p>\n<p>As macOS adoption continues to rise, threat actors are becoming increasingly creative in targeting the Apple ecosystem. One lesser-known but growing trend is the use of <strong>PyInstaller<\/strong>, a Python utility that packages scripts into standalone executables.<\/p>\n<p>Although PyInstaller is widely used for legitimate software distribution, it is now frequently abused by malware authors to create cross-platform, self-contained malware capable of running on macOS without requiring Python to be installed.<\/p>\n<p>This article explores how adversaries leverage PyInstaller to deliver sophisticated macOS malware, how these threats evade traditional detection methods, and what malware researchers can do to analyze and defend against them.<\/p>\n<h2><strong>PyInstaller, the Beloved Wizard<\/strong><\/h2>\n<p>Installing Python and ensuring that all dependencies are correctly configured for a given application can be a headache. Developers often rely on complex structures when building Python applications. Following best practices, they typically include support files, such as <span style=\"color: #64a071;\">requirements.txt<\/span>, to inform deployment tools which libraries must be installed for the code to run properly.<\/p>\n<h3><strong>What Is PyInstaller, and What Problems Does It Pose<\/strong><\/h3>\n<p>PyInstaller is a widely used tool that compiles Python applications into standalone executables. It bundles the Python interpreter and all necessary dependencies into a single binary file. Its cross-platform compatibility and ease of use make it appealing not only to developers but also to malware authors.<\/p>\n<h4><strong>Key Threat Benefits:<\/strong><\/h4>\n<ul>\n<li>No Python dependency on the target machine.<\/li>\n<li>Fully packed binary.<\/li>\n<li>Cross-platform portability, when a rogue Python script can be shared with both Windows and macOS with a minor adjustment.<\/li>\n<\/ul>\n<p>When a PyInstaller-packed executable is deployed on macOS, its Mach-O format and embedded Python bytecode present unique challenges for defenders. This technique has been adopted by a wide range of threats, including file coders (a.k.a. ransomware), information stealers, and keyloggers.<\/p>\n<h2><strong>Historical Parallel: Lessons from OSX\/Shlayer<\/strong><\/h2>\n<p>Intego\u2019s previous discovery of OSX\/Shlayer, a well-known piece of Mac malware, highlights the effectiveness of multi-stage dropper techniques on macOS. Although Shlayer used shell scripts embedded in fake Flash installer .app bundles, instead of Python, the way it delivered its payloads and concealed its operations is similar to how PyInstaller-based malware behaves.<\/p>\n<p><strong>Typical characteristics include:<\/strong><\/p>\n<ul>\n<li>A dropper macOS executable.<\/li>\n<li>Obfuscation techniques to conceal infection code.<\/li>\n<li>An extracted ZIP or Mach-O binary containing additional components (e.g., adware, spyware, persistence mechanisms).<\/li>\n<\/ul>\n<p>In one variant, Shlayer leveraged <strong>OpenSSL<\/strong> to decode and decrypt a bundled file, which was then dynamically executed in memory. This behavior is comparable to how a PyInstaller-packed binary can execute Python scripts contained within its <strong><span style=\"color: #64a071;\">.pyz<\/span><\/strong> archive.<\/p>\n<h2><strong>Case Study: Ransomware Script<\/strong><\/h2>\n<p>This article examines an example of ransomware Python scripts found inside a PyInstaller-packed Mach-O sample. The sample is intended for educational purposes and is named Ransomware_script (SHA-256: <span style=\"color: #64a071;\">f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0<\/span>).<\/p>\n<h3><strong>Code Signing and Misuse of Developer IDs<\/strong><\/h3>\n<p>Some malware variants, such as Shlayer A, may be signed with valid Apple Developer IDs, allowing them to appear legitimate and bypass Gatekeeper protections.<\/p>\n<p>The <strong><span style=\"color: #64a071;\">Ransomware_script<\/span><\/strong> Mach-O binary is <strong>self-signed<\/strong> using an <strong>ad hoc signature<\/strong>. This means it lacks a Developer ID certificate verified by Apple\u2019s signing authority. Despite this, it can still bypass Gatekeeper on macOS due to how ad hoc signatures are treated.<\/p>\n<p><strong>Example terminal output:<\/strong><\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>% codesign -dvv f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0<\/p>\n<p>Executable=<\/p>\n<p>f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0<\/p>\n<p><strong>Identifier=ransomware_script-55554944014579c30b5e3f0e89275f47324c78a6<\/strong><\/p>\n<p>Format=Mach-Othin (arm64)<\/p>\n<p>CodeDirectoryv=<span style=\"color: #d32f2f;\">20400<\/span>size=<span style=\"color: #d32f2f;\">219827<\/span> flags=<span style=\"color: #d32f2f;\">0x2<\/span>(adhoc)hashes=<span style=\"color: #d32f2f;\">6863<\/span>+<span style=\"color: #d32f2f;\">2 <\/span>location=embedded<\/p>\n<p><strong>Signature=adhoc<\/strong><\/p>\n<p>Info.plist=notbound<\/p>\n<p><strong>TeamIdentifier=not <\/strong><span style=\"color: #998ea6;\"><strong>set<\/strong><\/span><\/p>\n<p>SealedResources=none<\/p>\n<p>Internalrequirements count=<span style=\"color: #d32f2f;\">0<\/span> size=<span style=\"color: #d32f2f;\">12<\/span><\/p>\n<\/div>\n<p><strong>Mitigation note:<\/strong><\/p>\n<p>Many open-source applications use self-signed code to avoid the cost of obtaining a Developer ID certificate. Self-signed components, such as embedded libraries, are common within otherwise notarized applications.<\/p>\n<h3><strong>Detection Considerations<\/strong><\/h3>\n<p>Every Mach-O binary built with PyInstaller leaves behind specific indicators. Analysts can look for these markers to identify suspicious binaries.<\/p>\n<h4><strong>Indicators of PyInstaller Use<\/strong><\/h4>\n<ul>\n<li>Presence of a <span style=\"color: #64a071;\">.pyz<\/span> archive embedded in the binary.<\/li>\n<li>Strings such as <span style=\"color: #64a071;\">_MEIXXXXXX<\/span> and <span style=\"color: #64a071;\">_pyinstaller_pyz<\/span>.<\/li>\n<\/ul>\n<p>Using tools like <strong>Hopper Disassembler<\/strong> helps isolate these strings at specific addresses in the binary code.<\/p>\n<p><strong>For example:<\/strong><\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>aMeixxxxxx:<\/p>\n<p><span style=\"color: #d32f2f;\">000000010000be38<\/span> <strong>db<\/strong> <span style=\"color: #64a071;\">&#8220;_MEIXXXXXX&#8221; <\/span>, <span style=\"color: #d32f2f;\">0 <\/span>; DATAXREF=sub_100007b1c+<span style=\"color: #d32f2f;\">260<\/span>, sub_100007b1c+<span style=\"color: #d32f2f;\">264<\/span>, sub_100007b1c+<span style=\"color: #d32f2f;\">456<\/span>, sub_100007b1c+<span style=\"color: #d32f2f;\">460<\/span>, sub_100007b1c+<span style=\"color: #d32f2f;\">652<\/span>, sub_100007b1c+<span style=\"color: #d32f2f;\">656<\/span>, sub_100007b1c+<span style=\"color: #d32f2f;\">784<\/span>, sub_100007b1c+<span style=\"color: #d32f2f;\">788<\/span>, sub_100007b1c+<span style=\"color: #d32f2f;\">920<\/span>, sub_100007b1c+<span style=\"color: #d32f2f;\">924<\/span>, sub_100007b1c+<span style=\"color: #d32f2f;\">1056<\/span><\/p>\n<p>r0=strlen(r19);<\/p>\n<p>*(int32_t*)(<span style=\"color: #d32f2f;\">0x7 <\/span>+ r19 + r0) = <span style=\"color: #d32f2f;\">0x585858<\/span>;<\/p>\n<p>*(r19 + r0) = *<span style=\"color: #64a071;\">&#8220;_MEIXXXXXX&#8221;<\/span>;<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>aPyinstallerpyz:<\/p>\n<p><span style=\"color: #d32f2f;\">000000010000b128<\/span> <strong>db<\/strong> <span style=\"color: #64a071;\">&#8220;_pyinstaller_pyz&#8221;<\/span>,<span style=\"color: #d32f2f;\">0<\/span> ; DATAXREF=sub_100006074+<span style=\"color: #d32f2f;\">232<\/span><\/p>\n<p>loc_10000614c:<\/p>\n<p>(*<span style=\"color: #d32f2f;\">0x1000114e8<\/span>)(<span style=\"color: #64a071;\">&#8220;_pyinstaller_pyz&#8221;<\/span>,r19);<\/p>\n<p>(*<span style=\"color: #d32f2f;\">0x1000113d0<\/span>)(r19);<\/p>\n<p><span style=\"color: #1976d2;\">if<\/span> (r21==<span style=\"color: #d32f2f;\">0x0<\/span>) <span style=\"color: #1976d2;\">goto<\/span> loc_10000619c;<\/p>\n<\/div>\n<p>In its \u201cmodal\u201d structure, a PyInstaller-generated Mach-O binary contains a <strong>PYZ archive<\/strong>, which includes everything needed to run the Python application. This is conceptually similar to a macOS executable compressed with tools like the now-deprecated <strong>UPX format<\/strong>, a method often used to hide malicious strings and evade antivirus detection.<\/p>\n<h2><strong>Inside a PyInstaller-Packed Malware on macOS<\/strong><\/h2>\n<h3><strong>What Does It Look Like?<\/strong><\/h3>\n<p>A typical PyInstaller-packed malware binary on macOS is a <strong>Mach-O executable<\/strong> that contains:<\/p>\n<ul>\n<li>An embedded .pyz archive (Python bytecode in ZIP format).<\/li>\n<li>The Python interpreter, included as a shared object.<\/li>\n<li>A small C-based loader that unpacks and executes the embedded scripts.<\/li>\n<\/ul>\n<p><strong>To identify such binaries, researchers can use the following command:<\/strong><\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>stringssuspicious_file | grep -i_ pyinstaller_pyz<\/p>\n<\/div>\n<p>When downloaded via macOS applications (e.g., Apple Safari), files may be tagged with a <strong>quarantine flag<\/strong>. This can be verified using the xattr tool:<\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>% xattr f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0<\/p>\n<p>com.apple.lastuseddate#PS<\/p>\n<p>com.apple.macl<\/p>\n<p><strong>com.apple.quarantine<\/strong><\/p>\n<\/div>\n<p>This flag can be easily removed with root user privileges (%sudo) using the <strong>xattr (x-man-page:\/\/xattr)<\/strong> tool.<\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>% sudo xattr -d com.apple.quarantine<\/p>\n<p>f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0<\/p>\n<\/div>\n<p>Once the quarantine flag is removed, the Ransomware_script sample can be launched, even on <strong>macOS Sequoia 15.5 with SIP (System Integrity Protection) enabled<\/strong>, without requiring root privileges:<\/p>\n<ol>\n<li><strong>% chmod u+X Ransomware_script<\/strong><\/li>\n<li>Then, the user may right-click the file and select: <strong>Open With &gt; Terminal<\/strong> in the pop-up menu.<\/li>\n<\/ol>\n<p>In practice, implants that deliver such Mach-O samples often do not use Gatekeeper-compliant distribution methods, meaning the <strong>quarantine flag is not applied<\/strong> in the first place.<\/p>\n<h3><strong>Infection Steps<\/strong><\/h3>\n<p>We can isolate <strong>three identified stages<\/strong> in the infection chain. (Stage 0 is unknown, as the vector used to drop the PyInstaller-packed binary on the target system remains unidentified.)<\/p>\n<h4><strong>Stage 1: Dropper<\/strong><\/h4>\n<p><span style=\"color: #64a071;\">f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0<\/span><\/p>\n<ul>\n<li><strong>File Name: <\/strong><span style=\"color: #64a071;\">ransomware_script<\/span><\/li>\n<li><strong>File Type:<\/strong> Mach-O<\/li>\n<li><strong>Size:<\/strong> 28,346,128 bytes (approx. 4 MB)<\/li>\n<li><strong>MD5:<\/strong><span style=\"color: #64a071;\">13737a54b5b6d94b8780df5c519980aa<\/span><\/li>\n<li><strong>Tags: <\/strong><span style=\"color: #64a071;\">arm, macho, 64-bit<\/span><\/li>\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/file\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0\">VirusTotal<\/a><\/li>\n<\/ul>\n<h4><strong>Stage 2: Payload<\/strong><\/h4>\n<p><span style=\"color: #64a071;\">1bad4b0f42e1d2dd8aacadf0a994b82082d159ee210ebc6d5628587643d03ea1<\/span><\/p>\n<ul>\n<li><strong>File Name: <\/strong><span style=\"color: #64a071;\">ransomware_script.pyc_Decompiled.py<\/span><\/li>\n<li><strong>File Type:<\/strong> Python script (ASCII text, executable)<\/li>\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/search\/1bad4b0f42e1d2dd8aacadf0a994b82082d159ee210ebc6d5628587643d03ea1\">VirusTotal<\/a><\/li>\n<\/ul>\n<p><strong>Container file:<\/strong><\/p>\n<p><span style=\"color: #64a071;\">13a35628258d7c5d3c97db15489e66d393324a73607288a30d6c844262af1125<\/span><\/p>\n<ul>\n<li><strong>Path: <\/strong><span style=\"color: #64a071;\">.\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0_extracted\/ransomware_script.pyc<\/span><\/li>\n<li><strong>File Type<\/strong>: data<\/li>\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/search\/13a35628258d7c5d3c97db15489e66d393324a73607288a30d6c844262af1125\">VirusTotal<\/a><\/li>\n<\/ul>\n<h4><strong>Stage 3: Loader<\/strong><\/h4>\n<p><span style=\"color: #64a071;\">9c9611ac997d3bf2a513e0c7caa2cc94acf60921cc30d4e65710b6a479775011<\/span><\/p>\n<ul>\n<li><strong>File Name:<\/strong> ransomware.pyc_Decompiled.py<\/li>\n<li><strong>File Type:<\/strong> Python script (ASCII text executable, 483-character lines)<\/li>\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/search\/9c9611ac997d3bf2a513e0c7caa2cc94acf60921cc30d4e65710b6a479775011\">VirusTotal<\/a><\/li>\n<\/ul>\n<p><strong>Container file:<\/strong><\/p>\n<p><span style=\"color: #64a071;\">442df258ad8352966da9ba43bdb6a338ce9952e6912dbda3be5560b8dd12a1e7<\/span><\/p>\n<ul>\n<li><strong>Path: <\/strong><span style=\"color: #64a071;\">.\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0_extracted\/PYZ-00.pyz_extracted\/ransomware.pyc<\/span><\/li>\n<li><strong>File Type:<\/strong> data<\/li>\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/search\/442df258ad8352966da9ba43bdb6a338ce9952e6912dbda3be5560b8dd12a1e7\">VirusTotal<\/a><\/li>\n<\/ul>\n<h2><strong>Extracting Pyz Archive<\/strong><\/h2>\n<p><strong>PyInstaller<\/strong> provides several options for building self-extracting Python applications. During this process, malware authors must specify the target operating system. When the PyInstaller tool is executed, the Python interpreter is bundled along with other dependencies.<\/p>\n<p>The collected data may include plain .py Python scripts, or compiled Python files, either stored in folders or compressed into a special archive format known as a <strong>PYZ archive<\/strong>.<\/p>\n<p>One widely used open-source tool for extracting PYZ archives from PyInstaller executables is <span style=\"color: #64a071;\"><strong>pyinstxtractor<\/strong><\/span>. However, this tool depends on having Python installed and requires compatibility with the specific Python version used when the original binary was built. As a result, users may encounter various version-related errors when attempting extraction.<\/p>\n<p>To streamline the process, online services such as <strong>PyInstaller Extractor WEB<\/strong> (an online version of <span style=\"color: #64a071;\">pyinstxtractor<\/span>) can be used instead.<\/p>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-103938 size-full\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/PyInstaller-Extractor-WEB.png\" alt=\"PyInstaller Extractor WEB\" width=\"764\" height=\"704\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/PyInstaller-Extractor-WEB.png 764w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/PyInstaller-Extractor-WEB-300x276.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/PyInstaller-Extractor-WEB-150x138.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/PyInstaller-Extractor-WEB-657x605.png 657w\" sizes=\"(max-width: 764px) 100vw, 764px\" \/><\/p>\n<p>Once the PYZ archive has been extracted, its contents can reveal valuable information. For instance, the extraction logs help identify possible entry points within the payload.<\/p>\n<p>In this case, one such entry appears to be the compiled script: <span style=\"color: #64a071;\"><strong>ransomware_script.pyc<\/strong><\/span><\/p>\n<p>It\u2019s worth noting that the name of the suspicious <span style=\"color: #64a071;\">ransomware_script<\/span> executable closely resembles the <strong>self-signed ad hoc identifier<\/strong> string used in the binary:<\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p><span style=\"color: #64a071;\">Identifier=ransomware_script-55554944014579c30b5e3f0e89275f47324c78a6<\/span><\/p>\n<\/div>\n<p>This naming pattern\u2014<span style=\"color: #64a071;\">&lt;filename&gt;-555&lt;random_hash&gt;<\/span>\u2014can serve as an additional heuristic when analyzing similarly crafted malware samples.<\/p>\n<h2><strong>Package Structure<\/strong><\/h2>\n<p>After unpacking the Mach-O PyInstaller sample, a quick inspection of its contents reveals several interesting elements:<\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e<\/p>\n<p>0_extracted%ls-la<\/p>\n<p>total <span style=\"color: #d32f2f;\">11336<\/span><\/p>\n<p>drwx&#8212;&#8212;@ <span style=\"color: #d32f2f;\">32<\/span> intego staff <span style=\"color: #d32f2f;\">1024<\/span> Jun <span style=\"color: #d32f2f;\">10 21:18<\/span> .<\/p>\n<p>drwxr-xr-x <span style=\"color: #d32f2f;\">10<\/span> intego wheel <span style=\"color: #d32f2f;\">320<\/span> Jun <span style=\"color: #d32f2f;\">10 21:18<\/span> ..<\/p>\n<p>-rw-r&#8211;r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">6148<\/span> Jun <span style=\"color: #d32f2f;\">10 21:26<\/span> .DS_Store<\/p>\n<p>drwxr-xr-x@ <span style=\"color: #d32f2f;\">9<\/span> intego staff <span style=\"color: #d32f2f;\">288<\/span> Jun <span style=\"color: #d32f2f;\">10 21:18<\/span> Crypto<\/p>\n<p>drwxr-xr-x@ <span style=\"color: #d32f2f;\">85<\/span> intego staff <span style=\"color: #d32f2f;\">2720<\/span> Jun <span style=\"color: #d32f2f;\">10 21:18<\/span> <strong>PYZ-00.pyz_extracted<\/strong><\/p>\n<p>drwxr-xr-x@ <span style=\"color: #d32f2f;\">7<\/span> intego staff <span style=\"color: #d32f2f;\">224<\/span> Jun <span style=\"color: #d32f2f;\">10 21:18<\/span> PyQt5<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">38<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> Python<\/p>\n<p>drwxr-xr-x@ <span style=\"color: #d32f2f;\">5<\/span> intego staff <span style=\"color: #d32f2f;\">160<\/span> Jun <span style=\"color: #d32f2f;\">10 21:18<\/span> Python.framework<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> integstaff <span style=\"color: #d32f2f;\">49<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> QtCore<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">49<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> QtDBus<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">47<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> QtGui<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">55<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> QtNetwork<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">65<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> QtPrintSupport<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">47<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> QtQml<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">59<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> QtQmlModels<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">51<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span>\u00a0QtQuick<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">47<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> QtSvg<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">61<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> QtWebSockets<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">55<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> <strong>QtWidgets<\/strong><\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">1396821<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span>\u00a0base_library.zip<\/p>\n<p>drwxr-xr-x@ <span style=\"color: #d32f2f;\">45<\/span> intego staff <span style=\"color: #d32f2f;\">1440<\/span> Jun <span style=\"color: #d32f2f;\">10 21:18<\/span> lib-dynload<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">3619168<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> <strong>libcrypto.<\/strong><strong>3<\/strong><strong>.dylib<\/strong><\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">650768<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> <strong>libssl.<\/strong><strong>3<\/strong><strong>.dylib<\/strong><\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">2849<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> pyi_rth_inspect.pyc<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">1585<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> pyi_rth_pkgutil.pyc<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">2040<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> pyi_rth_pyqt5.pyc<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">1916<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> pyiboot01_bootstrap.pyc<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">4813<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> pyimod01_archive.pyc<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">31848<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> pyimod02_importers.pyc<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">6469<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> pyimod03_ctypes.pyc<\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">727<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> <strong>ransomware_script.pyc<\/strong><\/p>\n<p>-rw-rw-r&#8211;@ <span style=\"color: #d32f2f;\">1<\/span> intego staff <span style=\"color: #d32f2f;\">305<\/span> Nov <span style=\"color: #d32f2f;\">30 1979<\/span> struct.pyc<\/p>\n<\/div>\n<ul>\n<li>The <span style=\"color: #64a071;\">PYZ-00.pyz_extracted<\/span> directory contains the unpacked Python application files.<\/li>\n<li>This Python application uses <strong>Qt<\/strong>, particularly <span style=\"color: #64a071;\">QtWidgets<\/span>, to build a graphical interface. The UI is designed to display a ransom demand, encouraging the victim to pay in order to receive a decryption password.<\/li>\n<li>Two notable dynamic libraries are included from OpenSSL:\n<ul>\n<li><span style=\"color: #64a071;\">libcrypto.3.dylib<\/span><\/li>\n<li><span style=\"color: #64a071;\">Libssl.3.dylib<\/span><\/li>\n<li>Both are <strong>Mach-O 64-bit dynamically linked shared libraries<\/strong> for the arm64 architecture and are <strong>self-signed<\/strong> with the following identifiers:\n<ul>\n<li>I<span style=\"color: #64a071;\">dentifier=libcrypto.3, Signature=adhoc<\/span><\/li>\n<li><span style=\"color: #64a071;\">Identifier=libssl.3, Signature=adhoc<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>These libraries support <strong>cryptographic functions<\/strong> and <strong>TLS communication<\/strong>.<\/li>\n<li>macOS ships with a wide range of system .<span style=\"color: #64a071;\">dylib<\/span> files that are code-signed by Apple\u2019s trusted certificate authority. Any .<span style=\"color: #64a071;\">dylib<\/span> used by a Mach-O binary is typically listed in the binary\u2019s <strong>Load Commands<\/strong> section, though it is not embedded directly. To examine these dependencies, analysts can use:<\/li>\n<\/ul>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>%otool-hlLsample_Macho_file<\/p>\n<\/div>\n<h4><strong>Payload (A) and Loader (B)<\/strong><\/h4>\n<p><strong>A .\/ransomware_script.pyc<\/strong><\/p>\n<p><span style=\"color: #d32f2f;\">SHA-256: 13a35628258d7c5d3c97db15489e66d393324a73607288a30d6c844262af1125<\/span><\/p>\n<p><strong>B .\/PYZ-00.pyz_extracted\/ransomware.pyc<\/strong><\/p>\n<p><span style=\"color: #d32f2f;\">SHA-256: 442df258ad8352966da9ba43bdb6a338ce9952e6912dbda3be5560b8dd12a1e7<\/span><\/p>\n<p>File system search and hash verification:<\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e<\/p>\n<p>0_extracted%find.-nameransomware&#8221;*&#8221;<\/p>\n<p>.\/ransomware_script.pyc<\/p>\n<p>.\/PYZ-00.pyz_extracted\/ransomware.pyc<\/p>\n<p>f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e<\/p>\n<p>0_extracted%shasum-a <span style=\"color: #d32f2f;\">256<\/span><\/p>\n<p>.\/ransomware_script.pyc<\/p>\n<p><span style=\"color: #d32f2f;\">13a35628258d7c5d3c97db15489e66d393324a73607288a30d6c844262af1125<\/span> .\/ransomware_script.pyc<\/p>\n<p>f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e<\/p>\n<p>0_extracted%shasum-a <span style=\"color: #d32f2f;\">256<\/span><\/p>\n<p>.\/PYZ-00.pyz_extracted\/ransomware.pyc<\/p>\n<p><span style=\"color: #d32f2f;\">442df258ad8352966da9ba43bdb6a338ce9952e6912dbda3be5560b8dd12a1e7<\/span><\/p>\n<p>.\/PYZ-00.pyz_extracted\/ransomware.pyc<\/p>\n<\/div>\n<h2><strong>Decompiler<\/strong><\/h2>\n<p>PyLingual Python Decompiler is a web-based tool for decompiling .pyc Python-compiled scripts. It performs bytecode-to-source conversion and can display notifications for any bytecode or syntax errors encountered during the process.<\/p>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-103939 size-full\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/pylingual-python-decompiler.png\" alt=\"pylingual python decompiler\" width=\"925\" height=\"528\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/pylingual-python-decompiler.png 925w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/pylingual-python-decompiler-300x171.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/pylingual-python-decompiler-150x86.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/pylingual-python-decompiler-768x438.png 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/pylingual-python-decompiler-657x375.png 657w\" sizes=\"(max-width: 925px) 100vw, 925px\" \/><\/p>\n<h2><strong>Ransomware_script.pyc<\/strong><\/h2>\n<ul>\n<li><strong>SHA-256: <\/strong><span style=\"color: #d32f2f;\">13a35628258d7c5d3c97db15489e66d393324a73607288a30d6c844262af1125<\/span><\/li>\n<li>A review of the strings extracted from this compiled Python payload reveals references to:\n<ul>\n<li>The original source filename <span style=\"color: #64a071;\">ransomware_script.py<\/span><\/li>\n<li>Qt-based UI components<\/li>\n<li>A ransom message is displayed to the user on the desktop<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Example string offsets:<\/strong><\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p><span style=\"color: #d32f2f;\">269<\/span><\/p>\n<p>QApplication)<\/p>\n<p><span style=\"color: #d32f2f;\">286<\/span> Ransomware<\/p>\n<p><span style=\"color: #d32f2f;\">298<\/span> __main__<\/p>\n<p><span style=\"color: #d32f2f;\">308<\/span> 12345678z\\Your system is under attack.<\/p>\n<p>Pay 2.5 Bitcoin to address O to restore your filesimmediately.z<\/p>\n<p><span style=\"color: #d32f2f;\">412<\/span> 76665@tor.com)<\/p>\n<p><span style=\"color: #d32f2f;\">429<\/span> password<\/p>\n<p><span style=\"color: #d32f2f;\">439<\/span> ransom_message<\/p>\n<p><span style=\"color: #d32f2f;\">455<\/span> extensions<\/p>\n<p><span style=\"color: #d32f2f;\">467<\/span> email)<\/p>\n<p><span style=\"color: #d32f2f;\">485<\/span> shutil<\/p>\n<p><span style=\"color: #d32f2f;\">493<\/span> PyQt5.QtWidgetsr<\/p>\n<p><span style=\"color: #d32f2f;\">515<\/span> ransomwarer<\/p>\n<p><span style=\"color: #d32f2f;\">532<\/span> __name__<\/p>\n<p><span style=\"color: #d32f2f;\">542<\/span> argv<\/p>\n<p><span style=\"color: #d32f2f;\">553<\/span> show<\/p>\n<p><span style=\"color: #d32f2f;\">559<\/span> exit<\/p>\n<p><span style=\"color: #d32f2f;\">565<\/span> exec_<\/p>\n<p><span style=\"color: #d32f2f;\">579<\/span> ransomware_script.py<\/p>\n<p><span style=\"color: #d32f2f;\">601<\/span> &lt;module&gt;r<\/p>\n<\/div>\n<h3><strong>ransomware_script.pyc_Decompiled.py<\/strong><\/h3>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>SHA-256: <\/strong><span style=\"color: #d32f2f;\">1bad4b0f42e1d2dd8aacadf0a994b82082d159ee210ebc6d5628587643d03ea1<\/span><\/li>\n<li><strong>Decompilation status:<\/strong> No syntax errors<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong><strong>IOC verification:<\/strong><\/strong><\/li>\n<\/ul>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>IOCs % shasum -a <span style=\"color: #d32f2f;\">256<\/span> ransomware_script.pyc_Decompiled.py<\/p>\n<p><span style=\"color: #d32f2f;\">1bad4b0f42e1d2dd8aacadf0a994b82082d159ee210ebc6d5628587643d03ea1<\/span> ransomware_script.pyc_Decompiled.py<\/p>\n<\/div>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-103940 size-full\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware_script.pyc_.png\" alt=\"ransomware_script.pyc\" width=\"929\" height=\"523\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware_script.pyc_.png 929w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware_script.pyc_-300x169.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware_script.pyc_-150x84.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware_script.pyc_-768x432.png 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware_script.pyc_-657x370.png 657w\" sizes=\"(max-width: 929px) 100vw, 929px\" \/><\/p>\n<h3><strong>PYZ-00.pyz_extracted\/ransomware.pyc<\/strong><\/h3>\n<ul>\n<li><strong>SHA-256: <\/strong><span style=\"color: #d32f2f;\">442df258ad8352966da9ba43bdb6a338ce9952e6912dbda3be5560b8dd12a1e7<\/span><\/li>\n<\/ul>\n<p>Searching for ransom-related strings in this compiled file confirms multiple symbols tied to ransomware behavior:<\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e<\/p>\n<p>0_extracted%str.\/PYZ-00.pyz_extracted\/ransomware.pyc|grep-iransom<\/p>\n<p><span style=\"color: #d32f2f;\">500<\/span> Ransomware<\/p>\n<p><span style=\"color: #d32f2f;\">733<\/span> ransom_message<\/p>\n<p><span style=\"color: #d32f2f;\">834<\/span> ransomware.pyr<\/p>\n<p><span style=\"color: #d32f2f;\">854<\/span> Ransomware.__init__<\/p>\n<p><span style=\"color: #d32f2f;\">1737<\/span> !Ransomware-EducationalUseOnly<\/p>\n<p><span style=\"color: #d32f2f;\">2091<\/span> ransom_note<\/p>\n<p><span style=\"color: #d32f2f;\">2140<\/span> Ransomware.initUI<\/p>\n<p><span style=\"color: #d32f2f;\">2898<\/span> Ransomware.encrypt_all_drives.<\/p>\n<p><span style=\"color: #d32f2f;\">3732<\/span> Ransomware.encrypt_drive4<\/p>\n<p><span style=\"color: #d32f2f;\">4229<\/span> ,Ransomware.should_encrypt.&lt;locals&gt;.&lt;genexpr&gt;C<\/p>\n<p><span style=\"color: #d32f2f;\">4366<\/span> Ransomware.should_encrypt@<\/p>\n<p><span style=\"color: #d32f2f;\">4715<\/span> RANSOM_NOTE.txtr<\/p>\n<p><span style=\"color: #d32f2f;\">4898<\/span> )Ransomware.is_excluded.&lt;locals&gt;.&lt;genexpr&gt;H<\/p>\n<p><span style=\"color: #d32f2f;\">5431<\/span> Ransomware.is_excludedE<\/p>\n<p><span style=\"color: #d32f2f;\">6277<\/span> Ransomware.encrypt_fileN<\/p>\n<p><span style=\"color: #d32f2f;\">7370<\/span> RansomwareDecryptor<\/p>\n<p><span style=\"color: #d32f2f;\">7504<\/span> Ransomware.decrypt_files^<\/p>\n<p><span style=\"color: #d32f2f;\">7885<\/span> Ransomware.update_progresso<\/p>\n<p><span style=\"color: #d32f2f;\">8173<\/span> !Ransomware.on_decryption_completer<\/p>\n<p><span style=\"color: #d32f2f;\">9090<\/span> 3. SendtheBitcointotheaddressspecifiedintheRANSOM_NOTE.txtfile.<\/p>\n<p><span style=\"color: #d32f2f;\">9444<\/span> ransom_note_path<\/p>\n<p><span style=\"color: #d32f2f;\">9502<\/span> Ransomware.create_instructionsv<\/p>\n<p><span style=\"color: #d32f2f;\">10363<\/span> RansomwareDecryptor.__init__<\/p>\n<p><span style=\"color: #d32f2f;\">11336<\/span> *RansomwareDecryptor.run.&lt;locals&gt;.&lt;genexpr&gt;<\/p>\n<p><span style=\"color: #d32f2f;\">11664<\/span> RansomwareDecryptor.run<\/p>\n<p><span style=\"color: #d32f2f;\">12350<\/span> !RansomwareDecryptor.decrypt_drive<\/p>\n<p><span style=\"color: #d32f2f;\">13354<\/span> RansomwareDecryptor.decrypt_file<\/p>\n<\/div>\n<h3><strong>ransomware.pyc_Decompiled.py<\/strong><\/h3>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>SHA-256: <\/strong><span style=\"color: #d32f2f;\">9c9611ac997d3bf2a513e0c7caa2cc94acf60921cc30d4e65710b6a479775011<\/span><\/li>\n<li><strong>Decompilation status:<\/strong> Contains several syntax errors<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong><strong>IOC verification:<\/strong><\/strong><\/li>\n<\/ul>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>IOCs % <span style=\"color: #d32f2f;\">256<\/span> ransomware.pyc_Decompiled.py<\/p>\n<p><span style=\"color: #d32f2f;\">9c9611ac997d3bf2a513e0c7caa2cc94acf60921cc30d4e65710b6a479775011<\/span> ransomware.pyc_Decompiled.py<\/p>\n<\/div>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-103942 size-full\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-1.png\" alt=\"ransomware.pyc\" width=\"926\" height=\"527\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-1.png 926w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-1-300x171.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-1-150x85.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-1-768x437.png 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-1-657x374.png 657w\" sizes=\"(max-width: 926px) 100vw, 926px\" \/><\/p>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-103941\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-2.png\" alt=\"ransomware.pyc\" width=\"929\" height=\"529\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-2.png 929w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-2-300x171.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-2-150x85.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-2-768x437.png 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware.pyc-2-657x374.png 657w\" sizes=\"(max-width: 929px) 100vw, 929px\" \/><\/p>\n<h4><strong>Python Application Behavior<\/strong><\/h4>\n<p>The decompiled scripts define a Qt-based UI designed to simulate a ransomware attack. Key features include:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>A <strong>rogue application window<\/strong> created using <span style=\"color: #64a071;\">QtWidgets<\/span><\/li>\n<li>Functions for file encryption and decryption logic<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Use of GUI prompts to display ransom instructions<\/li>\n<\/ul>\n<p><strong>Class and function definitions:<\/strong><\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>IOCs % cat ransomware.pyc_Decompiled.py | grep -i <span style=\"color: #1976d2;\">class<\/span><\/p>\n<p><span style=\"color: #1976d2;\">class<\/span> Ransomware(QMainWindow):<\/p>\n<p><span style=\"color: #1976d2;\">class<\/span> RansomwareDecryptor(QThread):<\/p>\n<p>IOCs % catransomware.pyc_Decompiled.py | grep -i <span style=\"color: #1976d2;\">def<\/span><\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> __init__(self, password, ransom_message, extensions, email):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> initUI(self):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> encrypt_all_drives(self):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> encrypt_drive(self, drive):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> should_encrypt(self, file_path):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> is_excluded(self, file_path):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> encrypt_file(self, file_path, key, salt):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> decrypt_files(self):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> update_progress(self, value):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> on_decryption_complete(self):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> create_instructions(self):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> __init__(self,password, progress_bar):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> run(self):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> decrypt_drive(self, drive):<\/p>\n<p><span style=\"color: #1976d2;\">def<\/span> decrypt_file(self, file_path, password):<\/p>\n<\/div>\n<h3><strong>Consequences on System Target<\/strong><\/h3>\n<p>This sample is for educational purposes only. When executed in a sandboxed environment, it does <strong>not<\/strong> cause any destructive impact.<\/p>\n<p>Upon execution, the Qt-based UI displays a message claiming that the victim\u2019s files have been encrypted, demanding <strong>2.5 Bitcoin<\/strong> to unlock them.<\/p>\n<p>Additionally, the malware drops <strong>two files<\/strong> on the user\u2019s desktop:<\/p>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-103943\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware-popup-educational-use-only.png\" alt=\"ransomware popup - educational use only\" width=\"920\" height=\"404\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware-popup-educational-use-only.png 920w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware-popup-educational-use-only-300x132.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware-popup-educational-use-only-150x66.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware-popup-educational-use-only-768x337.png 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ransomware-popup-educational-use-only-657x289.png 657w\" sizes=\"(max-width: 920px) 100vw, 920px\" \/><\/p>\n<p><strong>(1) INSTRUCTIONS.txt<\/strong><\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>How to pay with Bitcoin:<\/p>\n<ol>\n<li>Go to a Bitcoin exchange platform (e.g., Coinbase, Binance)<\/li>\n<li>Create an account and purchase the necessary amount of Bitcoin<\/li>\n<li>Send the Bitcoin to the address specified in the .txt file<\/li>\n<li>After the payment, email the transaction ID to 76665@tor.com<\/li>\n<\/ol>\n<p>Note: Ensure that you follow the instructions carefully to recover your files.<\/p>\n<\/div>\n<p><strong>(2) RANSOM_NOTE.txt<\/strong><\/p>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p>Your system is under attack. Pay 2.5 Bitcoin to the address to restore your files immediately.<\/p>\n<\/div>\n<p>No encrypted files were detected during live execution.<\/p>\n<p>This sample also does not implement persistence. However, other threat types, such as information stealers or keyloggers, may add Launch daemons to persist across reboots or user sessions.<\/p>\n<h2><strong>Detection<\/strong><\/h2>\n<p>Intego\u2019s antivirus solution can detect malicious PyInstaller-packed Mach-O binaries and Python-compiled and decompiled scripts. When such threats are detected, Intego\u2019s users are presented with a cleanup option and can choose to delete the identified files immediately.<\/p>\n<h3><strong>Detection Log Summary:<\/strong><\/h3>\n<div style=\"background-color: #f0f0f0; padding: 15px; border-radius: 5px; border: 1px solid #ccc;\">\n<p><span style=\"color: #64a071;\">&#8220;trojan:OSX\/Ransomware.ext&#8221;<\/span> found in <span style=\"color: #64a071;\">&#8220;.\/IOCs\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0 by engines: antiviralLib&#8221;<\/span>. Action performed: none.<\/p>\n<p>&nbsp;<\/p>\n<p>Cleanup analysis:<\/p>\n<p>1 item(s)to clean:<\/p>\n<p>.\/IOCs\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0<\/p>\n<p>1 action(s)to run:<\/p>\n<p>Role:Destructive &#8211; When:On update &#8211; delete file at path<\/p>\n<p>.\/IOCs\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #64a071;\">&#8220;trojan:Python\/Ransomware.gen&#8221;<\/span> found in <span style=\"color: #64a071;\">&#8220;.\/IOCs\/ransomware_script.pyc_Decompiled.py by engines: antiviralLib&#8221;<\/span>. Action performed: none.<\/p>\n<p>Cleanup analysis:<\/p>\n<p>1 item(s) to clean:<\/p>\n<p>.\/IOCs\/ransomware_script.pyc_Decompiled.py<\/p>\n<p>1 action(s) to run:<\/p>\n<p>Role:Destructive &#8211; When:On update &#8211; delete file at path.\/IOCs\/ransomware_script.pyc_Decompiled.py<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #64a071;\">&#8220;trojan:Python\/Ransomware.gen&#8221;<\/span> found in <span style=\"color: #64a071;\">&#8220;.\/IOCs\/ransomware.pyc_Decompiled.py by engines: antiviralLib&#8221;<\/span>. Action performed: none.<\/p>\n<p>Cleanup analysis:<\/p>\n<p>1 item(s) to clean:<\/p>\n<p>.\/IOCs\/ransomware.pyc_Decompiled.py<\/p>\n<p>1 action(s) to run:<\/p>\n<p>Role:Destructive &#8211; When:On update &#8211; delete file at path .\/IOCs\/ransomware.pyc_Decompiled.py<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #64a071;\">&#8220;trojan:Python\/Ransomware.gen&#8221;<\/span> found in <span style=\"color: #64a071;\">&#8220;.\/IOCs\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0_extracted.zip\/PYZ-00.pyz_extracted\/ransomware.pyc by engines: antiviralLib&#8221;<\/span>. Action performed: none.<\/p>\n<p>Cleanup analysis:<\/p>\n<p>1 item(s) to clean:<\/p>\n<p>.\/IOCs\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0_extracted.zip<\/p>\n<p>1 action(s) to run:<\/p>\n<p>Role:Destructive &#8211; When:On update &#8211; delete file at path .\/IOCs\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0_extracted.zip<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #64a071;\">&#8220;trojan:Python\/Ransomware.gen&#8221;<\/span> found in <span style=\"color: #64a071;\">&#8220;.\/IOCs\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0_extracted.zip\/ransomware_script.pyc by engines: antiviralLib&#8221;.<\/span> Action performed: none.<\/p>\n<p>Cleanup analysis:<\/p>\n<p>1 item(s) to clean:<\/p>\n<p>.\/IOCs\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0_extracted.zip<\/p>\n<p>1 action(s) to run:<\/p>\n<p>Role:Destructive &#8211; When:On update &#8211; delete file at path .\/IOCs\/f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0_extracted.zip<\/p>\n<\/div>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>PyInstaller may have been designed for convenience, but it becomes a formidable tool for building cross-platform, stealthy, and modular malware in attackers\u2019 hands. Its use on macOS is a concern for the evolution of malware delivery due to its combination of Python\u2019s flexibility with native execution capabilities.<\/p>\n<p>Security professionals must stay vigilant, refine their tooling, and educate others on how these threats bypass traditional detection. As malware increasingly blurs platform boundaries, defenders must adapt, decode, and disarm \u2014 one binary at a time.<\/p>\n<h3><strong>IOCs<\/strong><\/h3>\n<table>\n<tbody>\n<tr>\n<td style=\"background-color: #f0f0f0;\"><strong>Name<\/strong><\/td>\n<td style=\"background-color: #f0f0f0;\"><strong>SHA-256<\/strong><\/td>\n<\/tr>\n<tr>\n<td>ransomware_script<\/td>\n<td>f123e1513bc86ab157c5360d879fe569e54e4955eaee64be8c3232ef3f4f54e0<\/td>\n<\/tr>\n<tr>\n<td>ransomware_script.pyc<\/td>\n<td>13a35628258d7c5d3c97db15489e66d393324a73607288a30d6c844262af1125<\/td>\n<\/tr>\n<tr>\n<td>ransomware.pyc<\/td>\n<td>442df258ad8352966da9ba43bdb6a338ce9952e6912dbda3be5560b8dd12a1e7<\/td>\n<\/tr>\n<tr>\n<td>ransomware_script.pyc_Decompiled.py<\/td>\n<td>1bad4b0f42e1d2dd8aacadf0a994b82082d159ee210ebc6d5628587643d03ea1<\/td>\n<\/tr>\n<tr>\n<td>ransomware.pyc_Decompiled.py<\/td>\n<td>9c9611ac997d3bf2a513e0c7caa2cc94acf60921cc30d4e65710b6a479775011<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><strong>Dissection Tools and Techniques for Analysts<\/strong><\/h3>\n<table>\n<tbody>\n<tr>\n<td style=\"background-color: #f0f0f0;\"><strong>Tool<\/strong><\/td>\n<td style=\"background-color: #f0f0f0;\"><strong>Use Case<\/strong><\/td>\n<\/tr>\n<tr>\n<td>PyInstaller Extractor WEB<\/td>\n<td>Online tool for extracting embedded .pyz archives from PyInstaller executables (like pyinstxtractor)<\/td>\n<\/tr>\n<tr>\n<td>PyLingual Python Decompiler<\/td>\n<td>Web-based tool for decompiling .pyc (compiled Python) files into .py source<\/td>\n<\/tr>\n<tr>\n<td>Hopper<\/td>\n<td>Disassembler and decompiler for inspecting and debugging Mach-O binaries<\/td>\n<\/tr>\n<tr>\n<td>IDA Pro<\/td>\n<td>Advanced disassembler used by experienced reverse engineers<\/td>\n<\/tr>\n<tr>\n<td>Binary Ninja<\/td>\n<td>Versatile tool for disassembly, decompilation, debugging, and binary analysis; includes cloud-based options<\/td>\n<\/tr>\n<tr>\n<td>otool \/ codesign<\/td>\n<td>Command-line tools for viewing embedded code signatures and runtime libs in Mach-O binaries<\/td>\n<\/tr>\n<tr>\n<td>MachO-Explorer<\/td>\n<td>GUI-based utility to visualize and analyze the internal structure of Mach-O files<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Executive Summary Since the release of macOS 12.3 (Monterey), Python has not been included with Apple\u2019s operating system. This programming language, popular among developers and researchers for its versatility, was deemed unnecessary by Apple. Notably, even before its removal, macOS only included the deprecated Python 2.7 rather than the latest versions. Users can only manually [&hellip;]<\/p>\n","protected":false},"author":115,"featured_media":103945,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190,13],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"Threat actors use PyInstaller to build stealthy malware targeting macOS. Learn how it works, how to detect it, and how Intego protects against it.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How PyInstaller Enables macOS Malware - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"Threat actors use PyInstaller to build stealthy malware targeting macOS. Learn how it works, how to detect it, and how Intego protects against it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-29T10:31:55+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-29T10:32:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-24_-2025_-03_39_02-PM-1024x683.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"683\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Frederic Blaison\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-24_-2025_-03_39_02-PM.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-24_-2025_-03_39_02-PM.png\",\"width\":1536,\"height\":1024,\"caption\":\"How PyInstaller Enables macOS Malware\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/\",\"name\":\"How PyInstaller Enables macOS Malware - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#primaryimage\"},\"datePublished\":\"2025-06-29T10:31:55+00:00\",\"dateModified\":\"2025-06-29T10:32:13+00:00\",\"description\":\"Threat actors use PyInstaller to build stealthy malware targeting macOS. Learn how it works, how to detect it, and how Intego protects against it.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Python Applications, Active &#038; Hidden Malware Infection Vector on macOS\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/08c0037f7ab259cf049d6c332f30c5b2\"},\"headline\":\"Python Applications, Active &#038; Hidden Malware Infection Vector on macOS\",\"datePublished\":\"2025-06-29T10:31:55+00:00\",\"dateModified\":\"2025-06-29T10:32:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#webpage\"},\"wordCount\":3514,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-24_-2025_-03_39_02-PM.png\",\"articleSection\":[\"Malware\",\"Security &amp; Privacy\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/08c0037f7ab259cf049d6c332f30c5b2\",\"name\":\"Frederic Blaison\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0f7a55283c5b8924a7e54b5d6191cd80?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0f7a55283c5b8924a7e54b5d6191cd80?s=96&d=mm&r=g\",\"caption\":\"Frederic Blaison\"},\"description\":\"Frederic is Intego\\u2019s Antivirus Labs Tech Lead, overseeing research into macOS malware and persistent threats. With over 30 years of expertise in Apple technologies, Fred\\u2019s background spans system administration, QA, and hands-on malware analysis, bringing deep technical insight to the front lines of macOS security.\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/frederic-blaison\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"Threat actors use PyInstaller to build stealthy malware targeting macOS. Learn how it works, how to detect it, and how Intego protects against it.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/","og_locale":"en_US","og_type":"article","og_title":"How PyInstaller Enables macOS Malware - The Mac Security Blog","og_description":"Threat actors use PyInstaller to build stealthy malware targeting macOS. Learn how it works, how to detect it, and how Intego protects against it.","og_url":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/","og_site_name":"The Mac Security Blog","article_published_time":"2025-06-29T10:31:55+00:00","article_modified_time":"2025-06-29T10:32:13+00:00","og_image":[{"width":1024,"height":683,"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-24_-2025_-03_39_02-PM-1024x683.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"Frederic Blaison","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-24_-2025_-03_39_02-PM.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-24_-2025_-03_39_02-PM.png","width":1536,"height":1024,"caption":"How PyInstaller Enables macOS Malware"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/","name":"How PyInstaller Enables macOS Malware - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#primaryimage"},"datePublished":"2025-06-29T10:31:55+00:00","dateModified":"2025-06-29T10:32:13+00:00","description":"Threat actors use PyInstaller to build stealthy malware targeting macOS. Learn how it works, how to detect it, and how Intego protects against it.","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"Python Applications, Active &#038; Hidden Malware Infection Vector on macOS"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/08c0037f7ab259cf049d6c332f30c5b2"},"headline":"Python Applications, Active &#038; Hidden Malware Infection Vector on macOS","datePublished":"2025-06-29T10:31:55+00:00","dateModified":"2025-06-29T10:32:13+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#webpage"},"wordCount":3514,"commentCount":0,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-24_-2025_-03_39_02-PM.png","articleSection":["Malware","Security &amp; Privacy"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/pyinstaller-macos-malware-vector\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/08c0037f7ab259cf049d6c332f30c5b2","name":"Frederic Blaison","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/0f7a55283c5b8924a7e54b5d6191cd80?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0f7a55283c5b8924a7e54b5d6191cd80?s=96&d=mm&r=g","caption":"Frederic Blaison"},"description":"Frederic is Intego\u2019s Antivirus Labs Tech Lead, overseeing research into macOS malware and persistent threats. With over 30 years of expertise in Apple technologies, Fred\u2019s background spans system administration, QA, and hands-on malware analysis, bringing deep technical insight to the front lines of macOS security.","url":"https:\/\/www.intego.com\/mac-security-blog\/author\/frederic-blaison\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/06\/ChatGPT-Image-Jun-24_-2025_-03_39_02-PM.png","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-r2p","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/103937"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/115"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=103937"}],"version-history":[{"count":3,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/103937\/revisions"}],"predecessor-version":[{"id":103947,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/103937\/revisions\/103947"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/103945"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=103937"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=103937"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=103937"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}