The sub-techniques beta is now live! Read the release blog post for more info.


FruitFly is designed to spy on mac users [1].

ID: S0277
Platforms: macOS
Version: 1.0
Created: 17 October 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1083 File and Directory Discovery

FruitFly looks for specific files and file types.[1]

Enterprise T1107 File Deletion

FruitFly will delete files on the system.[1]

Enterprise T1158 Hidden Files and Directories

FruitFly saves itself with a leading "." to make it a hidden file.[1]

Enterprise T1159 Launch Agent

FruitFly persists via a Launch Agent.[1]

Enterprise T1027 Obfuscated Files or Information

FruitFly executes and stores obfuscated Perl scripts.[1]

Enterprise T1057 Process Discovery

FruitFly has the ability to list processes on the system.[1]

Enterprise T1113 Screen Capture

FruitFly takes screenshots of the user's desktop.[1]