- Chillyhell is a modular macOS butt created in 2021 that passed Apple’s notar and remained without being detected for years
- Mandiant saw it in 2023, but the information was not shared publicly, so Av Tools did not realize
- Jamf exposed it in 2025, revealing that he is still notarized and not marked by antivirus engines
For at least four years, a piece of Malware of Apple Modular was being implemented on target devices, without being marked by antivirus solutions.
To worsen things, for at least two years, (a part of) the cybersecurity community was aware of its existence.
Earlier this week, JAMF security researchers published a new report, detailing Chillyhell, a modular back door that provides their operators with a reverse shell, the ability to update and the option to obtain and execute additional useful loads.
First detection in 2023
While the rear door itself is not out of the ordinary, the fact that it remained without being detected for a long time is. Apparently, malware was created in 2021, when it was submitted to Apple. He passed the notarization verifications, which means that Apple’s automated systems did not mark it as malicious.
He fixed them to pass the checks because their useful charges were divided into the modules, it was signed with an Apple developer ID valid and was designed as a harmless application. In addition, he did not have red flags of standard behavior, such as the privilege escalation or network scan.
Until 2023, it operated without being detected, without antivirus detections on the main platforms. However, in 2023, command (Google cyber security arm) identified it in information on threat intelligence, and even attributed it to UNC4487, a threat actor who was aimed at Ukrainian officials through a car insurance website.
But the informative session was shared in private and without technical details, leaving the broader security community in the dark about its existence. Apple did not revoke the notarization, and the AV tools still did not mark it.
Fast progress until 2025, and now Jamf threatened Labs publicly revealed the malware, gave him Chillyhell’s name and detailed his techniques of architecture, persistence and evasion. He also emphasized that even at this point, Apple’s notarization remained valid, and some samples loaded with Virustotal are not yet being marked by antivirus.
Through The registration
