The sub-techniques beta is now live! Read the release blog post for more info.


This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [1].

ID: S0276
Associated Software: OSX/Keydnap
Platforms: macOS
Version: 1.0
Created: 17 October 2018
Last Modified: 17 October 2018

Associated Software Descriptions

Name Description
OSX/Keydnap [1]

Techniques Used

Domain ID Name Use
Enterprise T1141 Input Prompt

Keydnap prompts the users for credentials.[2]

Enterprise T1159 Launch Agent

Keydnap uses a Launch Agent to persist.[2]

Enterprise T1188 Multi-hop Proxy

Keydnap uses a copy of tor2web proxy for HTTPS communications.[2]

Enterprise T1064 Scripting

Keydnap uses Python for scripting to execute additional commands.[2]

Enterprise T1167 Securityd Memory

Keydnap uses the keychaindump project to read securityd memory.[2]

Enterprise T1166 Setuid and Setgid

Keydnap adds the setuid flag to a binary so it can easily elevate in the future.[1]

Enterprise T1151 Space after Filename

Keydnap puts a space after a false .jpg extension so that execution actually goes through the program.[2]

Enterprise T1071 Standard Application Layer Protocol

Keydnap uses HTTPS for command and control.[2]