Register to stream ATT&CKcon 2.0 October 29-30


MacSpy is a malware-as-a-service offered on the darkweb [1].

ID: S0282
Platforms: macOS
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture MacSpy can record the sounds from microphones on a computer. [1]
Enterprise T1115 Clipboard Data MacSpy can steal clipboard contents. [1]
Enterprise T1107 File Deletion MacSpy deletes any temporary files it creates [2]
Enterprise T1158 Hidden Files and Directories MacSpy stores itself in ~/Library/.DS_Stores/ [2]
Enterprise T1056 Input Capture MacSpy captures keystrokes. [1]
Enterprise T1159 Launch Agent MacSpy persists via a Launch Agent. [1]
Enterprise T1188 Multi-hop Proxy MacSpy uses Tor for command and control. [1]
Enterprise T1113 Screen Capture MacSpy can capture screenshots of the desktop over multiple monitors. [1]
Enterprise T1071 Standard Application Layer Protocol MacSpy uses HTTP for command and control. [1]