A new report from Jamf Threat Labs reveals that ChillyHell malware remains active against macOS systems. First discovered in 2021 and privately reported by cybersecurity firm Mandiant in 2023, this persistent threat shows no signs of stopping. Jamf researchers found a fresh sample on VirusTotal in May 2024, confirming the malware’s continued operation.
How ChillyHell steals Mac user data
ChillyHell targets sensitive information on infected Mac computers, specifically focusing on usernames and passwords. The malware uses sophisticated methods to avoid detection by security software and researchers.
Advanced evasion techniques make detection difficult
The malware employs two key tactics to stay hidden:
- Timestomping – alters file creation and modification dates to hide malicious activity
- Dynamic command-and-control protocol switching – changes communication methods to avoid network monitoring
These evasion techniques allow ChillyHell to operate undetected for extended periods, making tracking and removal challenging for security teams.
Developer certificate revocation limits future distribution
Jamf’s investigation found that Apple has revoked the developer certificates linked to ChillyHell. This revocation prevents new versions from being easily distributed but does not remove existing infections from compromised systems.
Mac users should maintain updated security software and exercise caution when downloading applications from untrusted sources. The ChillyHell campaign demonstrates that macOS remains a target for sophisticated malware operations.
