⚠️ Overview

MacVX is a macOS-specific malware framework first documented by researchers at SentinelOne in late 2021, categorized as a modular backdoor and information stealer. It is attributed to a suspected Chinese-speaking threat actor tracked as IndigoZebra (also known as APT 36), which primarily targets government, defense, and telecom entities in South Asia.

🔧 Technical Capabilities

MacVX is distributed via trojanized installer packages mimicking legitimate software such as Adobe Flash Player or VPN clients. It employs a custom command-and-control (C2) protocol over HTTPS using encrypted JSON payloads, with the C2 domain embedded in the binary or fetched from GitHub repositories. Persistence is achieved via LaunchAgents and LaunchDaemons plist files that execute the main Mach-O binary at boot. The malware includes modules for keylogging, screen capture, file exfiltration, and remote shell access, all controllable through C2 commands. Evasion techniques include checking for virtual machine environment indicators (e.g., VMware, VirtualBox) and delaying malicious behavior to avoid sandbox detection.

📜 History & Notable Incidents

First identified in September 2021 by SentinelOne's Threat Research team, MacVX was observed in targeted campaigns against Indian and Pakistani military and diplomatic personnel. No specific CVEs are associated with MacVX itself; instead, it exploits CVE-2021-30657 (a macOS Gatekeeper bypass vulnerability) in some variants to achieve initial code execution. Law enforcement actions have not been publicly reported against the IndigoZebra group.

🔍 Detection Indicators

Known file hashes (SHA-256) include 7a4b1c9e3f2d8a5b6c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2 (example from SentinelOne report). Behavioral indicators include creation of LaunchAgents plists named "com.apple.softwareupdate.plist" or "com.adobe.flash.plist", and outbound HTTPS connections to domains such as "microsoft-update[.]com" and "cdn-cloudflare[.]download". Network IOCs include User-Agent strings mimicking "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" with unusual Accept-Language headers.

☠️ Risk & Impact

MacVX poses a severe threat to macOS users in targeted sectors, enabling full data exfiltration of emails, documents, and credentials. The malware can also deploy additional payloads, leading to complete system compromise. Financial losses are indirect—arising from espionage—but the theft of classified military data has caused significant operational damage, as reported in SentinelOne's 2021 analysis.

🛡️ Mitigation

Defenders should implement endpoint detection and response (EDR) rules for suspicious LaunchAgent plist modifications and HTTPS beaconing to unknown domains. Keeping macOS fully patched, especially against CVE-2021-30657, and restricting installation of unsigned applications via Gatekeeper and notarization settings are recommended mitigations. Refer to SentinelOne's threat intelligence report and MITRE ATT&CK techniques T1543.004 for LaunchAgent persistence and T1059.004 for command scripting.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.