Ddos 
A stealthy new macOS infostealer named AppleProcessHub has attracted a lot of attention from security experts, with a unique Objective-C-based dropper that abuses Apple’s native frameworks and uses AES-decrypted command-and-control logic to execute malicious payloads. The malware was first flagged by MalwareHunterTeam on May 15, 2025, after identifying a suspicious file named libsystd.dylib—a Mach-O binary disguised as a dynamic library.
“On macOS, infostealers collect private information such as keychain passwords and cryptocurrency wallets, which are then uploaded to an attacker-controlled server,” wrote Christopher Lopez, Senior macOS Security Researcher at Kandji.
The ‘AppleProcessHub’ malware is engineered to steal sensitive files such as:
- .bash_history and .zsh_history
- GitHub gitconfig
- SSH keys and configurations
- /etc/hosts and .ssh folders
- macOS Keychain database (Login.keychain-db)
These files often contain authentication tokens, shell commands, endpoint IPs, internal hostnames, and private keys — a goldmine for threat actors targeting both individuals and organizations.
“A Threat Actor may leverage this information to find IP addresses, hostnames, domain names, or paths to internal resources,” Lopez explained. “This could evolve the threat from an exposure of the individual, to an infiltration of their organization.”
Although disguised with a .dylib extension, the file is not a dynamic library but an Objective-C Mach-O binary compiled for x86_64. It begins execution in the _start() function, which delegates to [Task ccsys], eventually queuing a malicious payload download using Apple’s Grand Central Dispatch.
The stealer retrieves a second-stage payload from:
This is revealed after decrypting embedded base64-encoded strings with AES-128 in ECB mode using the static key CMKD378491212qwe.
“These base64 strings are passed to the [Task aesd:] which are then passed to the method des12Decry: using the AES key… making it trivial to decode the strings,” Lopez noted.
If the command-and-control server returns a valid payload, the binary sets up an NSTask with /bin/sh -c and executes the decrypted shell command—essentially giving the attacker remote script execution on the device.
The known payload, a script named fSidEOWW.sh, gathers all the targeted data, zips it, and uploads it back to the attacker’s infrastructure.
“This Mach-O can handle the execution of any script hosted on the command and control server,” Lopez emphasized.
The malware’s use of Grand Central Dispatch and indirect Objective-C calls (like [Task request]) makes static analysis harder, especially as many method references are hidden from standard disassembly tools like Binary Ninja.
When first reported, the libsystd.dylib binary had only 2 detections on VirusTotal, underscoring its evasion capabilities. While the C2 domain appleprocesshub[.]com was offline during Kandji’s analysis, the modular structure of the dropper suggests it could easily pivot to other payloads or servers.
AppleProcessHub shows how macOS malware is evolving in complexity, using native APIs, clean Objective-C, and AES-encrypted infrastructure to avoid detection. It targets developer environments, making it particularly dangerous to startups, engineers, and tech firms.
“While the command and control server was offline at the start of this analysis, the malware still could execute other scripts,” Lopez concluded.
Donate