{"id":95194,"date":"2022-01-25T23:59:17","date_gmt":"2022-01-26T07:59:17","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=95194"},"modified":"2022-01-27T14:31:49","modified_gmt":"2022-01-27T22:31:49","slug":"dazzlespy-mac-malware-used-in-targeted-attacks","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/","title":{"rendered":"DazzleSpy Mac Malware Used in Targeted Attacks"},"content":{"rendered":"<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-95239\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-600x300-1.png\" alt=\"OSX\/DazzleSpy Mac malware logo\" width=\"600\" height=\"300\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-600x300-1.png 600w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-600x300-1-300x150.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-600x300-1-150x75.png 150w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>DazzleSpy is the latest Mac malware to make headlines. Intriguingly, it has the hallmarks of a state-sponsored, cyber-espionage campaign.<\/p>\n<p>Intego detects this malware&#8217;s various components as <strong>OSX\/DazzleSpy<\/strong>, <strong>OSX\/CDDS<\/strong>, <strong>OSX\/Exploit.Agent.C<\/strong>, and <strong>JS\/Exploit.Agent.NQK<\/strong>.<\/p>\n<p>Let&#8217;s examine this threat and what makes it unique and interesting.<\/p>\n<p>In this article:<\/p>\n<ul>\n<li><a href=\"#how-discovered\">How was DazzleSpy discovered?<\/a><\/li>\n<li><a href=\"#potential-harm\">What does DazzleSpy do to an infected computer?<\/a><\/li>\n<li><a href=\"#how-to-remove\">How can one remove or prevent DazzleSpy and other threats?<\/a><\/li>\n<li><a href=\"#about-domains\">What do we know about DazzleSpy-affiliated domains?<\/a><\/li>\n<li><a href=\"#who-created\">Who created DazzleSpy malware?<\/a><\/li>\n<li><a href=\"#iocs\">Indicators of compromise (IoCs)<\/a><\/li>\n<li><a href=\"#other-names\">Is DazzleSpy known by any other names?<\/a><\/li>\n<li><a href=\"#learn-more\">How can I learn more?<\/a><a name=\"how-discovered\"><\/a><\/li>\n<\/ul>\n<h3>How was DazzleSpy discovered?<\/h3>\n<p>In November 2021, teams from Google and ESET were independently researching a Mac malware campaign. The campaign leveraged what&#8217;s known as a watering hole attack\u2014where a group of people with a common interest is specifically targeted for infection. In this case, evidently the targeted class was people advocating for democracy in Hong Kong.<\/p>\n<p>Erye Hernandez from Google&#8217;s Threat Analysis Group (TAG) first <a href=\"https:\/\/blog.google\/threat-analysis-group\/analyzing-watering-hole-campaign-using-macos-exploits\/\" target=\"_blank\" rel=\"noopener\">published<\/a> about the campaign on November 11. Hernandez noted that the watering hole campaign leveraged a vulnerability (CVE-2021-30869) that did not affect the then-current version of macOS Big Sur, but was exploitable on macOS Catalina.<\/p>\n<p>Apple later released a patch for Catalina, as well as for iOS 12.5.5, on September 23 (as Intego noted <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-releases-ios-12-5-5-for-older-iphone-ipad-ipod-touch-devices\/\">here<\/a>). On the same day, Apple updated its security release notes for macOS Big Sur 11.2\u2014which had been released way back on February 1\u2014to acknowledge that the update had fixed the vulnerability nearly eight months earlier.<\/p>\n<p>It&#8217;s quite interesting that Apple secretively patched a vulnerability in February for the then-latest macOS version, neglecting to patch it for other operating systems that were ostensibly still supported at the time\u2014and only admitting to it, and patching other affected operating systems, when the vulnerability was caught being used in the wild. As we&#8217;ve said before, <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/\">Apple&#8217;s poor patching policies potentially make users&#8217; security and privacy precarious<\/a>. It&#8217;s safest to stay up to date with the very latest version of Apple&#8217;s operating systems; older versions may get some, but not all, important security fixes.<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"tnxa6IHCGx\"><p><a href=\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/\">Apple&#8217;s Poor Patching Policies Potentially Make Users&#8217; Security and Privacy Precarious<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Apple&#8217;s Poor Patching Policies Potentially Make Users&#8217; Security and Privacy Precarious&#8221; &#8212; The Mac Security Blog\" src=\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/embed\/#?secret=tnxa6IHCGx\" data-secret=\"tnxa6IHCGx\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p>Hernandez stated that Google believed &#8220;this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.&#8221; Google called the payload&#8217;s malware family &#8220;MACMA,&#8221; which Patrick Wardle nicknamed &#8220;CDDS&#8221; based on its repeated code strings.<\/p>\n<p>This week, ESET researchers Marc-Etienne M.L\u00e9veill\u00e9 and Anton Cherepanov <a href=\"https:\/\/www.welivesecurity.com\/2022\/01\/25\/watering-hole-deploys-new-macos-malware-dazzlespy-asia\/\" target=\"_blank\" rel=\"noopener nofollow\">published<\/a> findings from their own independent research of the same watering hole attack campaign. Although their analysis led to a different payload from the one observed by Google, they came to similar conclusions about the threat actor: &#8220;Given the complexity of the exploits used in this campaign, we [assess] that the group behind this operation has strong technical capabilities.&#8221; The researchers noted that the threat actor had non-public knowledge about a particular WebKit vulnerability, and used a clever method to force end-to-end encryption between infected Macs and the command-and-control (C&amp;C) server.<\/p>\n<p>ESET determined that it had received a different malware payload from the one Google had received, and dubbed the malware family &#8220;DazzleSpy.&#8221;<a name=\"potential-harm\"><\/a><\/p>\n<h3>What does DazzleSpy do to an infected computer?<\/h3>\n<p>DazzleSpy appears to have a wide variety of capabilities, mostly focused on spying on the user and stealing sensitive information. Among other things, DazzleSpy can:<\/p>\n<ul>\n<li>collect the Mac username, Wi-Fi SSID (network name), IP address, and other potentially identifying information about the victim and their Mac<\/li>\n<li>create lists of all files in the Desktop, Documents, or Downloads folders, and allow an attacker to search for files<\/li>\n<li>allow an attacker to view the screen of, and remotely control, a victim&#8217;s Mac<\/li>\n<li>steal passwords from the victim&#8217;s keychain, if their operating system is old enough (by exploiting CVE-2019-8526)<\/li>\n<li>exfiltrate data to an attacker-controlled server<\/li>\n<li>bypass Gatekeeper by removing the com.apple.quarantine metadata from a file<\/li>\n<li>continue to actively infect a Mac after it reboots (via a LaunchAgent)<\/li>\n<li>remove itself (i.e. in case a victim discovers that their Mac is infected and tries to get expert help)<\/li>\n<\/ul>\n<p>Another Mac malware threat distributed through the same sites and methods, dubbed Macma or CDDS, became widely known after Google published its report in November. This malware has several of the same capabilities as DazzleSpy. Google&#8217;s assessment of Macma malware did not specify whether it could potentially export keychain passwords; however, Google did say that Macma can record audio and log keystrokes.<a name=\"how-to-remove\"><\/a><\/p>\n<h3>How can one remove\/prevent DazzleSpy, other threats?<\/h3>\n<p>Unfortunately, the threat mitigation features that Apple has built into macOS\u2014such as notarization, Gatekeeper, XProtect, and MRT\u2014do not block many types of threats. Thus, Apple\u2019s own macOS protection methods are insufficient by themselves.<\/p>\n<p><em>Related: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/do-macs-need-antivirus-software\/\">Do Macs need antivirus software?<\/a><\/em><\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"vMTQvXwM8r\"><p><a href=\"https:\/\/www.intego.com\/mac-security-blog\/do-macs-need-antivirus-software\/\">Do Macs need antivirus software?<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Do Macs need antivirus software?&#8221; &#8212; The Mac Security Blog\" src=\"https:\/\/www.intego.com\/mac-security-blog\/do-macs-need-antivirus-software\/embed\/#?secret=vMTQvXwM8r\" data-secret=\"vMTQvXwM8r\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p><img loading=\"lazy\" class=\"alignright size-medium wp-image-54214\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png\" alt=\"Intego X9 software boxes\" width=\"200\" height=\"100\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-150x75.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch.png 600w\" sizes=\"(max-width: 200px) 100vw, 200px\" \/>Intego VirusBarrier X9, included with <strong><a href=\"https:\/\/www.intego.com\/mac-protection-bundle\">Intego&#8217;s Mac Premium Bundle X9<\/a><\/strong>, can protect against, detect, and eliminate DazzleSpy and Macma\/CDDS malware. VirusBarrier is designed by Mac security experts, and it protects against a much wider variety of malware than Apple\u2019s mitigation methods.<\/p>\n<p>If you believe your Mac may have been infected, or to prevent future infections, it&#8217;s best to use antivirus software from a trusted Mac developer that includes <a href=\"https:\/\/www.intego.com\/mac-security-blog\/why-your-antivirus-needs-real-time-scanning\/\">real-time scanning<\/a>, such as <a href=\"https:\/\/www.intego.com\/mac-protection-bundle\">Intego VirusBarrier X9<\/a>\u2014which also protects Macs from M1-native malware, cross-platform malware, and more. <strong>Intego recently earned a 100% detection rating for Mac malware<\/strong> in two independent tests conducted by <a href=\"https:\/\/www.av-comparatives.org\/tests\/mac-security-test-review-2021\/#intego\" target=\"_blank\" rel=\"noopener\">AV-Comparatives<\/a> and <a href=\"https:\/\/www.av-test.org\/en\/antivirus\/home-macos\/macos-bigsur\/june-2021\/intego-virusbarrier-10.9-215205\/\" target=\"_blank\" rel=\"noopener\">AV-TEST<\/a>.<\/p>\n<p>And if you&#8217;re a Windows user, <a href=\"https:\/\/www.intego.com\/intego-antivirus\"><strong>Intego Antivirus for Windows<\/strong><\/a> can protect your PC, too.<\/p>\n<p><span style=\"font-size: small;\">Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from these threats. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple<\/span><span style=\"font-size: small;\">.<\/span><a name=\"about-domains\"><\/a><\/p>\n<h3>What do we know about DazzleSpy-affiliated domains?<\/h3>\n<p>Both <strong>amnestyhk[.]org<\/strong> and <strong>fightforhk[.]com<\/strong> appear to have been registered by a threat actor for the specific purpose of targeting supporters of Hong Kong democracy.<\/p>\n<p>But even more specifically, given the exploits and malware used in these campaigns, it seems that the threat actor was specifically targeting Mac users for some reason\u2014and perhaps even users of macOS Catalina (or older) on Intel-based Macs.<\/p>\n<p>Given this very precise degree of targeting, it&#8217;s possible that one particular person, or a small group of people, may have been the primary target.<\/p>\n<p>Two other domains used in these campaigns, <strong>apple-webservice[.]com<\/strong> and <strong>appleid-server[.]com<\/strong>, are clearly intended to look like Apple domains at a glance, or to a novice. However, Apple doesn&#8217;t own either domain. Both were registered with GoDaddy in August 2021, and the registration information for both domains was last updated on November 11\u2014the same day that Google&#8217;s blog post exposed them. There are indications that at least one of the domains may have been reused for other malicious campaigns on or after that date (see <a href=\"https:\/\/vulners.com\/rst\/RST:A7534228-2680-3198-8E77-48A589BC6DFF\" target=\"_blank\" rel=\"noopener nofollow\">Vulners<\/a> and <a href=\"https:\/\/www.hybrid-analysis.com\/sample\/3fa6747b05fa9a4d1b4c430f58e56ec5d51b5c32a9322004351ba06794efa979?environmentId=120\" target=\"_blank\" rel=\"noopener nofollow\">Hybrid Analysis<\/a> reports).<a name=\"who-created\"><\/a><\/p>\n<h3>Who created DazzleSpy malware?<\/h3>\n<p>It seems clear that whoever distributed DazzleSpy was not in favor of Hong Kong democracy, given that the malware was distributed through sites that claimed to be pro-democracy in Hong Kong.<\/p>\n<p>Interestingly, we may know the name of one of the developers of the malware. Several text strings embedded in DazzleSpy&#8217;s code seem to reveal the username on the developer&#8217;s Mac as &#8220;wangping&#8221;:<\/p>\n<p><code>\/Users\/wangping\/pangu\/create_source\/poke\/osxrk_commandLine\/<\/code><\/p>\n<p>Of course, it&#8217;s entirely possible that this is a false flag. Given the sophistication of other aspects of the malware campaign, it seems sloppy for the developer to reveal their name in this way.<\/p>\n<p>On the other hand, such a goof isn&#8217;t unprecedented; see <a href=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/07\/Intego-Mac-Malware-Attribution-White-Paper-20190601.pdf\">Intego&#8217;s white paper on Mac malware attribution<\/a> (PDF).<a name=\"iocs\"><\/a><\/p>\n<h3>Indicators of compromise (IoCs)<\/h3>\n<p>The following SHA-256 hashes belong to known files associated with DazzleSpy, CDDS\/Macma, and related malware campaigns:<\/p>\n<pre>Mach-O binary files:\r\n341bc86bc9b76ac69dca0a48a328fd37d74c96c2e37210304cfa66ccdbe72b27\r\n4c67717fdf1ba588c8be62b6137c92d344a7d4f46b24fa525e5eaa3de330b16c\r\n570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6\r\n623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a\r\n8fae0d5860aa44b5c7260ef7a0b277bcddae8c02cea7d3a9c19f1a40388c223f\r\n9b71fad3280cf36501fe110e022845b29c1fb1343d5250769eada7c36bc45f70\r\na63466d09c3a6a2596a98de36083b6d268f393a27f7b781e52eeb98ae055af97\r\nbbbfe62cf15006014e356885fbc7447e3fd37c3743e0522b1f8320ad5c3791c9\r\ncf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8\r\nd599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4\r\ndf5b588f555cccdf4bbf695158b10b5d3a5f463da7e36d26bdf8b7ba0f8ed144\r\nf9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348\r\n\r\nJavaScript files:\r\n7965c61a4581f4b2f199595a6b3f0a416fe49bd8eaac0538e37e050d893f9e3c\r\n9d9695f5bb10a11056bf143ab79b496b1a138fbeb56db30f14636eed62e766f8\r\nbc6e488e297241864417ada3c2ab9e21539161b03391fc567b3f1e47eb5cfef9\r\ncbbfd767774de9fecc4f8d2bdc4c23595c804113a3f6246ec4dfe2b47cb4d34c\r\n\r\nBash shell script file:\r\nf31e42c04f0cb27fddb968a59088c4f1f099ca499baf3b1f045d7639f72a8b62\r\n\r\nDisk image file:\r\nf0b12413c9d291e3b9edd1ed1496af7712184a63c066e1d5b2bb528376d66ebc\r\n\r\nProbable sample of an encrypted server.enc file:\r\n3d20386ce4ab7094314afd30bc12a623369cf93df84c90238251220844074834*\r\n\r\nRelated Android ELF malware files:\r\n5d2a59720f23838eb72a6fb2003edea71551e5b02eac8b68be7bc02b67a5c5e8\r\n5fff034e2a96d6b868957a1b43042d62107b253d64ac8daca8c1530e59e3df97\r\n\r\n*first reported by Intego<\/pre>\n<p>The following files and folders may potentially be found on an infected Mac:<\/p>\n<pre>~\/.local\/security.zip\r\n~\/.local\/security\/keystealDaemon\r\n~\/.local\/security\/libkeystealClient.dylib\r\n~\/.local\/softwareupdate\r\n~\/Library\/LaunchAgents\/com.apple.softwareupdate.plist\r\n~\/Library\/LaunchAgents\/com.UserAgent.va.plist\r\n~\/Library\/Preferences\/lib\/UserAgent\r\n~\/Library\/Preferences\/Tools\/\r\n~\/Library\/Preferences\/Tools\/arch\r\n~\/Library\/Preferences\/Tools\/at\r\n~\/Library\/Preferences\/Tools\/kAgent\r\n~\/Library\/Preferences\/UserAgent\/lib\/Data\/\r\n~\/Library\/Preferences\/UserAgent\/lib\/UserAgent\r\n~\/Library\/Safari\/Safari.app\/Contents\/MacOS\/UpdateHelper\r\n<\/pre>\n<p>Note that <code>~<\/code> denotes the user&#8217;s home folder, e.g. <code>\/Users\/username<\/code>.<\/p>\n<p>It&#8217;s also important to note that the <code>~\/.local<\/code> folder mentioned above is typically invisible. By default, macOS hides folders and files with names that begin with a period character. You can reveal hidden files and folders by pressing \u2318\u21e7. (Command-Shift-period) in the Finder. However, be aware that most hidden items are not malicious, so avoid deleting or moving hidden items to the Trash unless you are certain that they are harmful.<\/p>\n<p>The following IP addresses, domains, and URLs have been observed to have ties with this malware or related campaigns. Network administrators can check logs to try to identify whether any computers on their network may have attempted to contact one of these IPs or domains between August and November 2021, or possibly afterward.<\/p>\n<pre>88.218.192[.]128:5633\r\n103.255.44[.]56:8371\r\n103.255.44[.]56:8372\r\n123.1.170[.]152\r\n207.148.102[.]208\r\namnestyhk[.]org\r\napple-webservice[.]com\r\nappleid-server[.]com\r\nfightforhk[.]com\r\nhttp:\/\/103.255.44[.]56:8371\/00AnW8Lt0NEM.html\r\nhttp:\/\/103.255.44[.]56:8371\/iWBveXrdvQYQ?rid=*\r\nhttp:\/\/103.255.44[.]56:8371\/pld?rid=*\r\nhttp:\/\/103.255.44[.]56:8371\/SxYm5vpo2mGJ?rid=*\r\nhttp:\/\/103.255.44[.]56:8372\/6nE5dJzUM2wV.html\r\nhttps:\/\/amnestyhk[.]org\/ss\/4ba29d5b72266b28.html\r\nhttps:\/\/amnestyhk[.]org\/ss\/defaultaa.html\r\nhttps:\/\/amnestyhk[.]org\/ss\/mac.js\r\nhttps:\/\/amnestyhk[.]org\/ss\/server.enc\r\nhttps:\/\/appleid-server[.]com\/EvgSOu39KPfT.html\r\nhttps:\/\/appleid-server[.]com\/server.enc\r\nhttps:\/\/www.apple-webservice[.]com\/7pvWM74VUSn2.html<\/pre>\n<p>Note that <code>*<\/code> is used as a wildcard character above.<\/p>\n<p>Although the following URL is not malicious, it was compromised (hacked) during a portion of the timeframe mentioned above. Therefore, computers that visited this site around that time may potentially have become infected:<br \/>\n<a name=\"other-names\"><\/a><\/p>\n<pre>https:\/\/bc.d100[.]net\/Product\/Subscription [no longer infected]<\/pre>\n<h3>Is DazzleSpy known by any other names?<\/h3>\n<p>Other vendors&#8217; names for threat components from this malware campaign may include variations of the following:<\/p>\n<p><span style=\"font-size: small;\">Adware\/Macma!OSX, Artemis!Trojan, ASP.Webshell, Backdoor:MacOS\/Macma.A!MTB, Backdoor:MacOS\/Macma.B!MTB, Backdoor:MacOS\/Macma.C!MTB, Backdoor:MacOS\/Vigorf.A, Backdoor\/JS.Macma, Backdoor\/OSX.Macma.1194193, Backdoor\/OSX.Macma.2575107, BV:Macma-A [Trj], DazleSpy, Dropper.Agent\/Android!8.37E (CLOUD), E32\/DroidRooter.A, Elf.Trojan.A3445236, Exploit.Agent!8.1B, Exploit.Generic-JS.Save.a46a1bf8, Exploit\/JS.Generic, HEUR:Backdoor.OSX.Macma.a, HEUR:Exploit.Script.Generic, HEUR:Trojan-Dropper.AndroidOS.Agent.sk, HEUR:Trojan-Spy.OSX.Macma.a, HEUR:Trojan.OSX.Agent.gen, HEUR:Trojan.OSX.Agentb.gen, JS:Exploit-AH [Expl], JS.Exploit.ShellCode.c, JS\/Exploit.Agent.NQK, LINUX\/Agent.aj, Mac.BackDoor.Macma, Mac.Trojan-spy.Macma.Pepy, MacOS:Macma-A [Trj], MacOS:Macma-B [Trj], MacOS:Macma-C [Trj], MacOS:Macma-D [Trj], MacOS:Macma-E [Trj], macOS.Macma, MacOS\/Agent.gen, MacOS\/Macma.A, Malware.OSX\/Macma.lvyms, Malware.OSX\/Macma.nxnte, OSX.CDDS, OSX.DazzleSpy, OSX.S.Agent.1194193, OSX.S.Agent.2575107, Osx.Trojan.Agent.Llrp, OSX\/Agent.g, OSX\/Exploit.Agent.C, OSX\/Macma-A, OSX\/Macma.A!tr, OSX\/Macma.B!tr, OSX\/Macma.C!tr, OSX\/Macma.D!tr, OSX\/Macma.E!tr, OSX\/Macma.jhzzd, OSX\/Macma.lkoes, OSX\/Macma.lvyms, OSX\/Macma.lwxgs, OSX\/Macma.nxnte, OSX\/Macma.qmfus, OSX\/Macma.taejb, osxrk, PrivacyRisk.SPR\/ANDR.DroidRooter, RDN\/Generic.osx, Script.Trojan.45123.GC, Script.Trojan.A3298608, Script.Trojan.A3370311, SPR\/ANDR.DroidRooter.H.Gen, TROJ_FRS.0NA103A422, TROJ_FRS.0NA103KF21, TROJ_FRS.0NA103KT21, TROJ_FRS.0NA104KF21, TROJ_FRS.VSNTKG21, TROJ_FRS.VSNTKT21, Troj\/JSExp-X, Trojan:MacOS\/Macma.B, Trojan:Script\/Wacatac.B!ml, Trojan:Win32\/Casdet!rfn, Trojan:Win32\/Mamson.A!ml, Trojan.AndroidOS.Agent.C!c, Trojan.DroidRooter.Android.11, Trojan.DroidRooter.Android.88, Trojan.JS.DAZZLESPY.A, Trojan.Macma.OSX, Trojan.MacOS.MACMA.A, Trojan.Malscript, Trojan.OSX.Agentb.4!c, Trojan.OSX.Macma, Trojan.OSX.Macma.4!c, Trojan.OSX.Macma.l!c, Trojan.OSX.Macma.m!c, Trojan.Script.Generic.3!c, Trojan.UKP.Linux.4!c, TrojWare.Win32.UMal, VEX.Webshell, VirTool:Win32\/Aicat.A!ml<\/span><a name=\"learn-more\"><\/a><\/p>\n<h3>How can I learn more?<\/h3>\n<p>For additional technical details about the DazzleSpy malware, you can read the recent write-ups by\u00a0<a href=\"https:\/\/www.welivesecurity.com\/2022\/01\/25\/watering-hole-deploys-new-macos-malware-dazzlespy-asia\/\" target=\"_blank\" rel=\"noopener nofollow\">Marc-Etienne M.L\u00e9veill\u00e9 and Anton Cherepanov<\/a>\u00a0and <a href=\"https:\/\/objective-see.com\/blog\/blog_0x6D.html\" target=\"_blank\" rel=\"noopener nofollow\">Patrick Wardle<\/a>. For more back story and additional insights, you can also read the November 2021 write-ups by <a href=\"https:\/\/blog.google\/threat-analysis-group\/analyzing-watering-hole-campaign-using-macos-exploits\/\" target=\"_blank\" rel=\"noopener\">Erye Hernandez<\/a>, <a href=\"https:\/\/objective-see.com\/blog\/blog_0x69.html\" rel=\"noopener nofollow\">Patrick Wardle<\/a>, and <a href=\"https:\/\/www.sentinelone.com\/labs\/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma\/\" target=\"_blank\" rel=\"noopener nofollow\">Phil Stokes<\/a> about the related exploits and CDDS\/Macma malware.<\/p>\n<p>We discussed DazzleSpy on <a href=\"https:\/\/podcast.intego.com\/224\">episode 224<\/a> of the <a href=\"https:\/\/podcast.intego.com\/\"><strong>Intego Mac Podcast<\/strong><\/a>. Be sure to <a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" rel=\"noopener\">follow the podcast<\/a> to make sure you don\u2019t miss any episodes! You\u2019ll also want to subscribe to our <strong>e-mail newsletter<\/strong> and keep an eye here on <strong>The Mac Security Blog<\/strong> for the latest Apple security and privacy news.<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/player.fireside.fm\/v2\/GegHgcrH+IMwwZlPJ?theme=dark\" width=\"740\" height=\"200\" frameborder=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p>You can also subscribe to our <a href=\"https:\/\/www.intego.com\/mac-security-blog\/mac-security-newsletter\/\"><strong>e-mail newsletter<\/strong><\/a> and keep an eye here on <a href=\"https:\/\/www.intego.com\/mac-security-blog\"><strong>The Mac Security Blog<\/strong><\/a> for the latest Apple security and privacy news. And don&#8217;t forget to follow Intego on your favorite social media channels: <a href=\"https:\/\/twitter.com\/IntegoSecurity\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on Twitter\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Twitter-logo-icon-64.png\" alt=\"Follow Intego on Twitter\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.facebook.com\/Intego\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on Facebook\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Facebook-logo-icon-64.png\" alt=\"Follow Intego on Facebook\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.youtube.com\/user\/IntegoVideo?sub_confirmation=1\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(0, 0, 0, 0.2); border-radius: 8px;\" title=\"Follow Intego on YouTube\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/YouTube-logo-icon-64.png\" alt=\"Follow Intego on YouTube\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.pinterest.com\/intego\/\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(0, 0, 0, 0.2); border-radius: 8px;\" title=\"Follow Intego on Pinterest\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Pinterest-logo-icon-64.png\" alt=\"Follow Intego on Pinterest\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/intego\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on LinkedIn\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/LinkedIn-logo-icon-64.png\" alt=\"Follow Intego on LinkedIn\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.instagram.com\/intego_security\/\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on Instagram\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Instagram-logo-icon-64.png\" alt=\"Follow Intego on Instagram\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow the Intego Mac Podcast on Apple Podcasts\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png\" alt=\"Follow the Intego Mac Podcast on Apple Podcasts\" width=\"16\" \/><\/a><\/p>\n<p><span style=\"font-size: x-small;\">DazzleSpy logo based on public domain <a href=\"https:\/\/www.flickr.com\/photos\/94125048@N08\/17174671849\" target=\"_blank\" rel=\"noopener noreferrer\">dazzle<\/a> and <a href=\"https:\/\/pixabay.com\/illustrations\/james-bond-spy-movie-credit-eye-5143053\/\" target=\"_blank\" rel=\"noopener noreferrer\">spy movie silhouette<\/a> images.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DazzleSpy is the latest Mac malware to make headlines. Intriguingly, it has the hallmarks of a state-sponsored, cyber-espionage campaign. Intego detects this malware&#8217;s various components as OSX\/DazzleSpy, OSX\/CDDS, OSX\/Exploit.Agent.C, and JS\/Exploit.Agent.NQK. Let&#8217;s examine this threat and what makes it unique and interesting. In this article: How was DazzleSpy discovered? What does DazzleSpy do to an [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":95240,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[2500,86,125],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"DazzleSpy is the latest Mac malware to make headlines. Intriguingly, it has the hallmarks of a state-sponsored, cyber-espionage campaign. Intego detects\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DazzleSpy Mac Malware Used in Targeted Attacks - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"DazzleSpy is the latest Mac malware to make headlines. Intriguingly, it has the hallmarks of a state-sponsored, cyber-espionage campaign. Intego detects\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/JoshLong\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-26T07:59:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-01-27T22:31:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-400x260-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"260\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@theJoshMeister\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Joshua Long\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-400x260-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-400x260-1.png\",\"width\":400,\"height\":260,\"caption\":\"OSX\/DazzleSpy Mac malware logo\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/\",\"name\":\"DazzleSpy Mac Malware Used in Targeted Attacks - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#primaryimage\"},\"datePublished\":\"2022-01-26T07:59:17+00:00\",\"dateModified\":\"2022-01-27T22:31:49+00:00\",\"description\":\"DazzleSpy is the latest Mac malware to make headlines. Intriguingly, it has the hallmarks of a state-sponsored, cyber-espionage campaign. Intego detects\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DazzleSpy Mac Malware Used in Targeted Attacks\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\"},\"headline\":\"DazzleSpy Mac Malware Used in Targeted Attacks\",\"datePublished\":\"2022-01-26T07:59:17+00:00\",\"dateModified\":\"2022-01-27T22:31:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#webpage\"},\"wordCount\":2016,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-400x260-1.png\",\"keywords\":[\"Gatekeeper\",\"Malware\",\"Spyware\"],\"articleSection\":[\"Malware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\",\"name\":\"Joshua Long\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"caption\":\"Joshua Long\"},\"description\":\"Joshua Long (@theJoshMeister), formerly Intego\\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \\u2014\",\"sameAs\":[\"https:\/\/security.thejoshmeister.com\",\"https:\/\/www.facebook.com\/JoshLong\",\"https:\/\/www.instagram.com\/thejoshmeister\/\",\"https:\/\/www.linkedin.com\/in\/thejoshmeister\",\"https:\/\/www.pinterest.com\/thejoshmeister\/\",\"https:\/\/twitter.com\/theJoshMeister\",\"https:\/\/www.youtube.com\/@theJoshMeister\"],\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"DazzleSpy is the latest Mac malware to make headlines. Intriguingly, it has the hallmarks of a state-sponsored, cyber-espionage campaign. Intego detects","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/","og_locale":"en_US","og_type":"article","og_title":"DazzleSpy Mac Malware Used in Targeted Attacks - The Mac Security Blog","og_description":"DazzleSpy is the latest Mac malware to make headlines. Intriguingly, it has the hallmarks of a state-sponsored, cyber-espionage campaign. Intego detects","og_url":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/","og_site_name":"The Mac Security Blog","article_author":"https:\/\/www.facebook.com\/JoshLong","article_published_time":"2022-01-26T07:59:17+00:00","article_modified_time":"2022-01-27T22:31:49+00:00","og_image":[{"width":400,"height":260,"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-400x260-1.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_creator":"@theJoshMeister","twitter_misc":{"Written by":"Joshua Long","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-400x260-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-400x260-1.png","width":400,"height":260,"caption":"OSX\/DazzleSpy Mac malware logo"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/","name":"DazzleSpy Mac Malware Used in Targeted Attacks - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#primaryimage"},"datePublished":"2022-01-26T07:59:17+00:00","dateModified":"2022-01-27T22:31:49+00:00","description":"DazzleSpy is the latest Mac malware to make headlines. Intriguingly, it has the hallmarks of a state-sponsored, cyber-espionage campaign. Intego detects","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"DazzleSpy Mac Malware Used in Targeted Attacks"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1"},"headline":"DazzleSpy Mac Malware Used in Targeted Attacks","datePublished":"2022-01-26T07:59:17+00:00","dateModified":"2022-01-27T22:31:49+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#webpage"},"wordCount":2016,"commentCount":0,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-400x260-1.png","keywords":["Gatekeeper","Malware","Spyware"],"articleSection":["Malware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/dazzlespy-mac-malware-used-in-targeted-attacks\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1","name":"Joshua Long","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","caption":"Joshua Long"},"description":"Joshua Long (@theJoshMeister), formerly Intego\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \u2014","sameAs":["https:\/\/security.thejoshmeister.com","https:\/\/www.facebook.com\/JoshLong","https:\/\/www.instagram.com\/thejoshmeister\/","https:\/\/www.linkedin.com\/in\/thejoshmeister","https:\/\/www.pinterest.com\/thejoshmeister\/","https:\/\/twitter.com\/theJoshMeister","https:\/\/www.youtube.com\/@theJoshMeister"],"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/01\/OSX-DazzleSpy-Mac-malware-logo-400x260-1.png","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-oLo","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/95194"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=95194"}],"version-history":[{"count":20,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/95194\/revisions"}],"predecessor-version":[{"id":95423,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/95194\/revisions\/95423"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/95240"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=95194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=95194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=95194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}