My bug CVE-2024-44131 got patched on iOS 18.0. It’s an iOS TCC bypass bug that lets third-party apps access data stored on iCloud Drive. I’ll be sharing the technical details, along with demo screenshots of leaking (encrypted) WhatsApp backup data, on the Jamf Blog.

As promised, I just dropped a dozen new sandbox escape vulnerabilities at #POC2024 If you missed the talk, here is the blog post: jhftss.github.io/A-New-Era-of-m… Slides: github.com/jhftss/jhftss.… Enjoy and find your own bugs 😎

Great find and fantastic write-up by my friends Ferdous Saljooki and Jaron Bradley over Jamf. Go check it out. Very interesting, signed and notarized at the time they were active, similar to the samples found by the team at SentinelLabs (blog also linked below). DPRK is

Today we released a blog post detailing how threat actors are using the Flutter Engine to build malware for macOS. This results in a very complex app architecture that is difficult to reverse. Check out the details here... jamf.com/blog/jamf-thre…

"Radiant Capital was targeted by a highly sophisticated [macOS] cyberattack that resulted in a loss valued at approximately $50M USD." 👀 "This deception was carried out so seamlessly ...[it made] the threat virtually invisible" 👀 medium.com/@RadiantCapita…

I had an amazing time at #obts catching up with old friends and meeting new ones. The talks were all fantastic and this community is truly one of a kind. Huge thanks to Andy Rozenberg and Patrick Wardle for hosting yet another successful conference. Looking forward to Ibiza next

XCSSET payload recently uploaded to VirusTotal appears to align with Microsoft's findings, including persistence via zshrc and dock virustotal.com/gui/file/a0ee7…

After posting the hunting query for macOS stealers yesterday, I noticed today that the ".file" extension for the scripts was changed to randomized extensions like "BraveTalk_Setup.ASpCp" and "Harmony.hklnP". The malware authors are paying attention 😆

💪 Our team has identified a new variant of XCSSET malware and blogged about it! microsoft.com/en-us/security…

excited bc today Huntress is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!! 🤠 we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)! huntress.com/blog/inside-bl…

Jamf Threat Labs uncovered a new variant of the Odyssey Infostealer — signed and notarized at the time of discovery. This variant includes backdoor functionality and techniques that align with recent Atomic Stealer research by Moonlock Lab. More here: jamf.com/blog/signed-an…

It’s an honor to be speaking at #OBTS again alongside so many incredible researchers. I’ll be sharing simple bugs that bypass Gatekeeper and CDHash revocation, allowing revoked ad-hoc signed malware to run without any re-signing.