The sub-techniques beta is now live! Read the release blog post for more info.


MacSpy is a malware-as-a-service offered on the darkweb [1].

ID: S0282
Platforms: macOS
Version: 1.0
Created: 17 October 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

MacSpy can record the sounds from microphones on a computer.[1]

Enterprise T1115 Clipboard Data

MacSpy can steal clipboard contents.[1]

Enterprise T1107 File Deletion

MacSpy deletes any temporary files it creates[2]

Enterprise T1158 Hidden Files and Directories

MacSpy stores itself in ~/Library/.DS_Stores/[2]

Enterprise T1056 Input Capture

MacSpy captures keystrokes.[1]

Enterprise T1159 Launch Agent

MacSpy persists via a Launch Agent.[1]

Enterprise T1188 Multi-hop Proxy

MacSpy uses Tor for command and control.[1]

Enterprise T1113 Screen Capture

MacSpy can capture screenshots of the desktop over multiple monitors.[1]

Enterprise T1071 Standard Application Layer Protocol

MacSpy uses HTTP for command and control.[1]