A new macOS backdoor vulnerability that lets hackers hijack devices is the latest to plague users, here’s what you need to know

Apple logo is seen in the background of a silhouette of a person using a notebook
(Image credit: Getty Images)

Security experts have warned of a new macOS backdoor vulnerability that has enabled hackers to take over devices without users knowing.

Analysis from Greg Lesnewich, senior threat researcher at Proofpoint, outlined how he came across the new malware strain, dubbed ‘SpectralBlur’.

Internet scan data from Censys tipped Lesnewich off to a suspicious domain, where he found a suspicious file, ‘.machshare’, being downloaded from the ‘auth’ subdomain.

Lesnewich described the SpectralBlur malware as “a moderately capable backdoor, that can upload/download files, run a shell, update its configuration, delete files, hibernate or sleep, based on commands issued from the C2 [server].”

One novel aspect to the malware is its use of ‘grantpt’ to set up a pseudo-terminal and execute shell commands, as macOS security researcher Phil Stokes pointed out in response to Lesnewich’s tweet warning of the backdoor.

Delving deeper into the .macshare file led Lesnewich to find a number of similarities linking SpectralBlur to other malware strains, including KANDYKORN, or SockRacket, known to belong to BlueNorOff, or TA444.

BlueNorOff has been identified as a subgroup of North Korean state-sponsored threat actors, the Lazarus Group, that focuses on targeting foreign financial institutions. 

Lazarus Group ramping up activity

Lesnewich’s findings add to a concerning trend of new malware families targeting macOS devices, with 21 new malware strains that exploit macOS being discovered in 2023.

This latest backdoor indicates TAs are not slowing down in their efforts to compromise MacOS devices, with Lesnewich describing the North Korean affiliated BlueNorOff group’s activities as “fast and furious”. 

James Pickard, head of security testing at IT Governance, told ITPro organizations should ensure they are deploying a defense in depth approach that involves multiple layers of security to provide holistic protection.

“As with many threats like this, it’s recommended that organizations and users implement a defense in depth approach. This involves patching, endpoint protection, user training and awareness, monitoring, and operating with the least privilege model, etc.” Pickard advised.


Whitepaper cover with two colleagues at a workstation looking at a computer

(Image credit: Zscaler)

Discover what the best approach to CASB and DLP requires


Integral to keeping devices secure is endpoint protection, Pickard explained, noting that Apple has recommended a number of solutions users can use to defend against attacks.

The tech giant has recommended using tools such as Gatekeeper, Notarisation, and XProtect to prevent, block, and remediate malware on affected machines, he said. 

Users have also been advised to regularly ensure that patches are up-to-date and remain vigilant for any suspicious activity on devices. 

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.