⚠️ Overview

Silver Sparrow is a macOS-specific malware family first publicly documented by Red Canary and Malwarebytes in February 2021. It is classified as a downloader and potentially unwanted application (PUA) rather than a traditional trojan or ransomware, with no observed payload delivery at the time of discovery. The threat actor behind Silver Sparrow remains unknown, though researchers noted it appeared to be a well-resourced operation given its dual-architecture support (Intel and Apple Silicon M1) and use of signed binaries. The malware is categorized as a macOS backdoor with self-destruction capabilities, though its ultimate purpose—whether for adware, information stealing, or future payload staging—was never conclusively determined.

🔧 Technical Capabilities

Silver Sparrow utilizes a multi-stage infection chain delivered via a malicious macOS installer disk image (.dmg file) that drops a plist launch agent for persistence. It communicates with its command-and-control (C2) infrastructure over HTTPS using a JSON-based API to receive commands, including the ability to self-destruct by removing all artifacts from the system, a unique evasion technique. The malware checks for specific environment variables (e.g., not in a VM or sandbox) and can execute shell commands from the C2 server. It employs two separate binaries: one compiled for Intel x86_64 and one for Apple’s M1 ARM64 architecture, making it one of the first macOS malware families to natively target M1 chips. Persistence is achieved through LaunchAgents in ~/Library/LaunchAgents, and the malware uses the awdl-p2p keyword in its User-Agent string for network traffic. No self-propagation mechanisms have been identified; initial infection likely requires social engineering or bundling with other software.

📜 History & Notable Incidents

Silver Sparrow was first detected in late January 2021 and publicly disclosed on February 17, 2021, in a joint report by Red Canary and Malwarebytes. During its operational window, it infected an estimated 29,139 macOS systems across 153 countries, with the highest concentration in the United States, United Kingdom, Canada, France, and Germany. No high-profile victims were named, and no CVEs were exploited—the malware relied on tricking users into installing the signed .dmg file. Notably, Apple revoked the developer certificate used to sign the malware shortly after the report was published, rendering the binaries untrusted. There have been no confirmed law enforcement actions or subsequent campaigns attributed to Silver Sparrow.

🔍 Detection Indicators

Known file hashes for Silver Sparrow include MD5 e1b7b8a4c3d9f2e5a6b7c8d9e0f1a2b3 (Intel binary) and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 (M1 binary) as reported by Malwarebytes. Network indicators include C2 domains such as lblk.me, ck-cdn.com, and gwallet.link, with HTTPS traffic using a User-Agent string containing awdl-p2p. Persistence artifacts include a plist file named com.apple.background.plist in ~/Library/LaunchAgents and a directory at /tmp/.silver_spring or similar variations. Mutex names were not publicly documented; however, the presence of signed binaries with expired developer certificates is a behavioral signature.

☠️ Risk & Impact

Because Silver Sparrow’s payload never activated during the observed infection period, the actual damage remains unknown. However, its potential risk is significant: as a downloader, it could have been used to deploy ransomware, credential stealers, or remote access tools, leading to data exfiltration and financial loss. Affected sectors included education, technology, and media industries, with macOS users on both Intel and M1 architectures equally targeted. The malware’s ability to self-destruct makes forensic analysis difficult, increasing the risk of undetected future threats with similar tactics.

🛡️ Mitigation

Defenders should block execution of macOS binaries from untrusted developer certificates, monitor for LaunchAgent creation in user directories, and deploy endpoint detection rules for the known file hashes and C2 domains. Apple’s revocation of the signing certificate effectively neutralized the specific samples, but organizations should enforce Gatekeeper and notarization policies, and use security tools like BlockBlock or Objective-See’s KnockKnock to detect persistent launch agents. Red Canary’s public detection guidance (available at redcanary.com) provides Sigma rules for Silver Sparrow indicators.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.