Skip to content
July 12, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Malware
  • Mac malware Coldroot hasn’t detected by anti-virus engines for two years
  • Malware

Mac malware Coldroot hasn’t detected by anti-virus engines for two years

Do Son February 26, 2018 3 minutes read
Coldroot
Add Daily CyberSecurity as a preferred source on Google

Patrick Wardle, chief researcher at Digita Security, a security company, discovered a malware called Coldroot, a remote access Trojan (RAT). Although it was uploaded to GitHub two years ago, it has so far failed to be detected by most antivirus engines.

Coldroot was uploaded to Github in 2016 and is offered for free. Now, things seem to have changed a bit, and the malware has entered the proactive phase of distribution.

Wardle said the latest version of Coldroot was found in an unofficial Apple audio driver (com.apple.audio.driver2.app). Malware masqueraded as a document that opens with a prompt that requires the user to enter an account and password (MacOS credentials) to log in. Once the victim provides the credentials, the malware silently installs and contacts its command and control (C & C) server to await further instructions from the attacker.

 

Malware modifies MacOS’s privacy database (TCC.db), which allows it to interact with system components to gain the access necessary to perform keyloggers. In addition, Coldroot manages the infected system by installing itself as a startup daemon. In this way, the malicious code starts up each time the infected computer is opened.

Once Coldroot is activated, it can take screenshots, view the desktop remotely in real time, start and stop processes on the target system, and search, download, upload, and execute files. All stolen data is sent to the remote web-based panel, much like most RATs do today.

 

Wardle pointed out that this is a “fully functional and currently undetectable” malware. Since January 1, 2017, a Web site called “Coldzer0”, the author of Coldroot who has been on the dark Internet marketing this software. In addition, Coldroot is a cross-platform malware targeting MacOS, Linux and Windows-based operating systems, based on ad videos published by Coldzer0.

 

Wardle also pointed out that it is unclear whether this new version of Coldroot is the same as the one uploaded two years ago, or if it is a modified version of the malware. Although the new version of Coldroot still contains details and contact information for its original author (Coldzer0), it is also likely to be misleading clues for other people who improve the software after getting the code from GitHub to keep it, safe Investigators, in-depth investigation.

Wardle said the malware may not affect newer operating systems such as MacOS High Sierra because the security of system TCC.db is assured through System Integrity Protection (SIP). But in his opinion, the proactive distribution of malware shows that hackers are constantly trying to step up their attacks on Macs, and it’s better for Mac users to switch to using the latest operating system to avoid being hit by such malware.

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • ShadowRoot Ransomware Targets Turkish Businesses
  • APT37 Expands Arsenal with Rustonotto Backdoor, PowerShell Chinotto, and FadeStealer
  • Luno: A “Self-Healing” Linux Botnet That Mines Crypto and Launches DDoS Attacks
  • Condi Botnet: Capitalizing on TP-Link Router Weaknesses
  • Secret Code in Commits: GitHub Hackers Exposed
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Coldroot

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939CVSS 10.0
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291CVSS 10.0
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-56271CVSS 9.8
    Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default...
  • CVE-2026-56260CVSS 9.1
    Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker...
  • CVE-2026-61447CVSS 10.0
    PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that...
  • CVE-2026-61445CVSS 9.9
    PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in...
  • CVE-2026-60090CVSS 9.8
    PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the...
  • CVE-2026-57827CVSS 10.0
    The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload...
  • CVE-2026-57828CVSS 9.0
    The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file...
  • CVE-2026-14480CVSS 9.9
    OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the...
  • CVE-2026-20744CVSS 9.8
    The charging station websocket endpoint accepts connections without proper authentication, which could...
  • CVE-2026-57807CVSS 9.8
    Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.