WAVESHAPER functioned as the first backdoor, establishing distant entry and enabling further payload supply. HYPERCALL operated as a downloader, retrieving secondary parts equivalent to HIDDENCALL, which offered additional command execution capabilities. This staged deployment allowed the risk actor to increase management over the compromised macOS system in phases fairly than dropping a single massive payload.
DEEPBREATH, a Swift-based infostealer, centered on harvesting delicate knowledge from the host. In keeping with the researchers, it manipulated Apple’s Transparency, Consent, and Management (TCC) framework to entry protected sources with out prompting the person. That enabled the gathering of browser knowledge, keychain materials, and messaging content material. CHROMEPUSH, in the meantime, focused browser environments, together with session cookies and authentication tokens.
The researchers additionally noticed abuse of macOS safety mechanisms, together with functionalities on Apple’s XProtect system. As an alternative of disabling protections straight away, the malware leveraged trusted system parts and anticipated behaviors to scale back detection visibility.
