Analysis Summary

A stealthy macOS malware known as AppleProcessHub has recently been identified by security researchers. It was first identified on May 15, 2025, disguised as a harmless dynamic library file called libsystd.dylib. In reality, it's a malicious Objective-C Mach-O binary designed to steal sensitive information from macOS systems. Its primary targets include command-line history files, GitHub configurations, SSH keys, and the macOS Keychain database valuable data that can help attackers move deeper into an organization’s infrastructure.

The malware uses Apple’s native frameworks to appear legitimate and relies on Objective-C methods and Grand Central Dispatch for payload execution. It communicates with a command-and-control (C2) server hosted at appleprocesshub[.]com, using encrypted base64 strings that are decrypted via AES-128 with a hardcoded key. Once the server responds, AppleProcessHub downloads a second-stage payload that collects system data, zips it, and sends it to the attacker’s server—all executed through a shell script in the background.

The malware is built using clean Objective-C code, hides method references, and avoids using typical malware signatures. Even if its original server is shut down, its modular structure allows attackers to update the destination or payloads. This makes AppleProcessHub a serious threat to macOS users, especially developers who store critical credentials and access tokens on their systems.

Impact

• Data Exfiltration
• Sensitive Data Theft

Indicators of Compromise

SHA1

• f67e1468d20be89f7fffaccffa5956eff4a6159a

• 6d88a8dc1718aed372c0c0826c8fd19441563b44

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before they are exploited by attackers.
• Continuously monitor network traffic and security logs for any signs of suspicious activities. Stay updated on the latest threat intelligence to understand the tactics, techniques, and procedures (TTPs) employed by the Sidewinder APT group and other threat actors.
• Regularly update macOS and all software to patch known vulnerabilities.
• Avoid running untrusted or pirated software, especially unknown .dylib or Mach-O files.
• Use a reputable antivirus or endpoint protection solution with support for macOS.
• Regularly audit and rotate SSH keys, API tokens, and developer credentials.
• Inspect network traffic for unknown domains or unusual encrypted connections.
• Implement application whitelisting to prevent unauthorized binary execution.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
• Isolate development environments from production infrastructure when possible.