Cuckoo Stealer
Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Cuckoo Stealer can use the curl API for C2 communications.[1] |
| Enterprise | T1217 | Browser Information Discovery |
Cuckoo Stealer can collect bookmarks, cookies, and history from Safari.[1] |
|
| Enterprise | T1059 | .002 | Command and Scripting Interpreter: AppleScript |
Cuckoo Stealer can use osascript to generate a password-stealing prompt, duplicate files and folders, and set environmental variables.[1][2] |
| .004 | Command and Scripting Interpreter: Unix Shell |
Cuckoo Stealer can spawn a bash shell to enable execution on compromised hosts.[1] |
||
| Enterprise | T1543 | .001 | Create or Modify System Process: Launch Agent |
Cuckoo Stealer can achieve persistence by creating launch agents to repeatedly execute malicious payloads.[1][2] |
| Enterprise | T1555 | .001 | Credentials from Password Stores: Keychain |
Cuckoo Stealer can capture files from a targeted user's keychain directory.[1] |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Cuckoo Stealer has staged collected application data from Safari, Notes, and Keychain to |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Cuckoo Stealer strings are deobfuscated prior to execution.[1][2] |
|
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Cuckoo Stealer can send information about the targeted system to C2 including captured passwords, OS build, hostname, and username.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
Cuckoo Stealer can search for files associated with specific applications.[1][2] |
|
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Cuckoo Stealer has copied its binary and the victim's scraped password into a hidden folder in the |
| Enterprise | T1056 | .002 | Input Capture: GUI Input Capture |
Cuckoo Stealer has captured passwords by prompting victims with a "macOS needs to access System Settings" GUI window.[1] |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Cuckoo Stealer has copied and renamed itself to DumpMediaSpotifyMusicConverter.[1][2] |
| Enterprise | T1095 | Non-Application Layer Protocol |
Cuckoo Stealer can use sockets for communications to its C2 server.[1] |
|
| Enterprise | T1027 | .008 | Obfuscated Files or Information: Stripped Payloads |
Cuckoo Stealer is a stripped binary payload.[1][2] |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Cuckoo Stealer strings are XOR-encrypted.[1][2] |
||
| Enterprise | T1647 | Plist File Modification |
Cuckoo Stealer can create and populate property list (plist) files to enable execution.[1][2] |
|
| Enterprise | T1057 | Process Discovery |
Cuckoo Stealer can use |
|
| Enterprise | T1113 | Screen Capture |
Cuckoo Stealer can run |
|
| Enterprise | T1518 | Software Discovery |
Cuckoo Stealer has the ability to search systems for installed applications.[1] |
|
| Enterprise | T1553 | .001 | Subvert Trust Controls: Gatekeeper Bypass |
Cuckoo Stealer can use |
| Enterprise | T1082 | System Information Discovery |
Cuckoo Stealer can gather information about the OS version and hardware on compromised hosts.[1][2] |
|
| Enterprise | T1614 | System Location Discovery |
Cuckoo Stealer can determine the geographical location of a victim host by checking the language.[1] |
|
| .001 | System Language Discovery |
Cuckoo Stealer can check the systems |
||
| Enterprise | T1033 | System Owner/User Discovery |
Cuckoo Stealer can discover and send the username from a compromised host to C2.[1] |
|
| Enterprise | T1569 | .001 | System Services: Launchctl |
Cuckoo Stealer can use |