ChillyHell: A New macOS Backdoor Bypassed Apple Notarization for Years

Jamf Threat Labs has uncovered a new variant of the ChillyHell malware family—an advanced, modular backdoor for macOS that passed Apple’s notarization process and remained trusted for years. This discovery highlights both the persistence of macOS threats and the dangers of assuming notarized apps are inherently safe.

During routine analysis on VirusTotal, researchers noticed a peculiar file that relied on an unusual method of process reconnaissance. As Jamf explained, “Despite the malware family having been documented in the past, it remains unflagged by antivirus vendors.”

ChillyHell itself was first mentioned in a private 2023 Mandiant report, which tied it loosely to a threat actor targeting officials in Ukraine. According to that report, attackers compromised a government-mandated Ukrainian auto insurance website to distribute the MATANBUCHUS malware and later identified related macOS malware samples under the ChillyHell family.

Jamf’s latest find was uploaded to VirusTotal in May 2025 but had been notarized back in 2021 and publicly hosted on Dropbox ever since.

The sample, disguised as a legitimate app bundle (applet.app), is actually a modular C++ backdoor targeting Intel macOS systems. Instead of a real AppleScript applet, the malware includes a Mach-O executable masquerading as one.

Once executed, it follows a multi-step routine:

• Host Profiling: It enumerates users, environment variables, and active processes using system commands like dscl, ps, and whoami.
• Persistence: Depending on privilege, it installs itself as a LaunchAgent, LaunchDaemon, or injects commands into shell profiles like .zshrc.
• Deception: The malware daemonizes itself and even opens a decoy Google page to avoid arousing suspicion.
• Timestomping: It alters file timestamps to disguise its presence.

As the analysis notes, “Between its multiple persistence mechanisms, ability to communicate over different protocols and modular structure, ChillyHell is extraordinarily flexible.”

ChillyHell connects to attacker-controlled infrastructure via both HTTP and DNS TXT queries. Hardcoded IPs such as 93[.]88.75.252 and 148[.]72.172.53 are used with multiple ports for redundancy.

Its main execution loop follows a cycle of:

• Fetching tasks from the C2.
• Deduplicating them against previously executed jobs.
• Executing them via dynamically loaded modules.
• Sleeping randomly between 60–120 seconds to evade detection.

The malware’s extensible design allows attackers to plug in different modules:

• ModuleBackconnectShell: Creates an interactive reverse shell.
• ModuleUpdater: Downloads and swaps in a fresh malware binary.
• ModuleLoader: Fetches and executes additional payloads.
• ModuleSUBF: A password-cracking module that downloads a brute-force tool called kerberos and associated wordlists to attack local user credentials.

The last module is particularly concerning, as it shows an unusual focus on brute-forcing user accounts—rare for macOS malware.

One of the most concerning aspects of this discovery is that ChillyHell was notarized by Apple and trusted by macOS Gatekeeper for years. As Jamf’s researchers emphasize, “Notably, ChillyHell was notarized and serves as an important reminder that not all malicious code comes unsigned.”

For enterprises and end users alike, this underscores the need for multi-layered defenses that go beyond Apple’s built-in protections. Endpoint monitoring, behavioral analysis, and proactive threat hunting remain crucial for spotting such stealthy intrusions.