The sub-techniques beta is now live! Read the release blog post for more info.


Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it. [1]

ID: S0163
Platforms: macOS
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

Janicab captured audio and sent it out to a C2 server.[2][1]

Enterprise T1116 Code Signing

Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions.[1]

Enterprise T1168 Local Job Scheduling

Janicab used a cron job for persistence on Mac devices.[1]

Enterprise T1113 Screen Capture

Janicab captured screenshots and sent them out to a C2 server.[2][1]