Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Microsoft Says Mac Trojan Becoming Stealthier, More Menacing

Malware hunters at Microsoft are calling attention to a nasty macOS malware family that has evolved quickly from a basic information-gathering trojan to a stealthy backdoor with more powerful capabilities.

Malware hunters at Microsoft are calling attention to a nasty macOS malware family that has evolved quickly from a basic information-gathering trojan to a stealthy backdoor with more powerful capabilities.

The macOS malware family, called UpdateAgent, first surfaced just over a year ago with rudimentary infection and data-theft capabilities but researchers have spotted signs the malware is becoming a fully-powered spy toolkit.

In the beginning, around November 2020, Microsoft first observed the macOS threat being used for reconnaissance with basic functions to collect product names, software versions and other system information.

By January 2021, the a newer version added capabilities for fetching secondary payloads from public clouds and a few months later, Microsoft noticed stealthy bypasses of Apple’s security controls, two worrying signs that the gang behind the malware continues to invest heavily to reach victims on Apple’s flagship desktop platform.

[ READ: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days ]

In the latter half of 2021, the malware became even more powerful, collecting more target system data and adding backdoor-type features to execute additional commands.   Microsoft even found evidence later that the malware included the ability to modify sudoers list, allowing it to bypass a prompt requiring high privilege user credentials while running UpdateAgent’s downloaded app.

“The latest campaign saw the malware installing the evasive and persistent Adload adware, but UpdateAgent’s ability to gain access to a device can theoretically be further leveraged to fetch other, potentially more dangerous payloads,” Microsoft said in a report documenting the UpdateAgent malware family.

The malware, which is currently being used to siphon money from malicious online advertising, has also been observed bypassing Apple’s Gatekeeper security technology and leveraging existing user permissions to quietly perform malicious activities before deleting the evidence to cover its tracks.

[ READ: Microsoft Disables MSIX Protocol Due to Abuse by Malware ]

“UpdateAgent lures its victims by impersonating legitimate software and can leverage Mac device functionalities to its benefit. One of the most advanced techniques found in UpdateAgent’s latest toolbox is bypassing Gatekeeper controls, which are designed to ensure only trusted apps run on Mac devices,” Microsoft said.

The company also published technical evidence to show UpdateAgent misusing public cloud infrastructure — Amazon S3 and CloudFront services — to host additional payloads. 

Redmond shared its findings with Amazon the malicious URLs have since been taken down.Update Agent MacMalware Timeline 

“UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns,” Microsoft warned, noting that the Trojan is likely distributed via drive-by downloads or advertisement pop-ups that impersonate legitimate software applications. 

“This action of impersonating or bundling itself with legitimate software increases the likelihood that users are tricked into installing the malware. Once installed, UpdateAgent starts to collect system information that is then sent to its command-and-control (C2) server. 

Related: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days

Related: Microsoft Calls Attention to ‘Wormable’ Windows Flaw

Related: Apple Patches ‘Actively Exploited’ Mac, iOS Security Flaw

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...