Jamf Threat Labs has recently discovered pirated macOS applications on Chinese pirating websites that have been modified to communicate with attacker infrastructure [1]. This poses a significant threat to Mac users as it allows malware to evade detection and gain control over the target system.


The malware, known as “fseventsd,” is a modified version of the ZuRu malware found in 2021. It is distributed through pirated apps such as FinalShell, Microsoft Remote Desktop Client [2], Navicat Premium [2], SecureCRT [2], and UltraEdit [2]. When a user launches one of these pirated apps [2], a malicious dynamic library attached to the app uses a backdoor built with the open-source Khepri post-exploitation tool [2]. This backdoor enables the attacker to collect system information [3], download and upload files [3], and open a remote shell on the compromised Mac [3].

The “fseventsd” malware stealthily harvests data and drops additional payloads, similar to the Khepri malware [2]. It was discovered by Jamf while investigating other threats [2]. The executable [2], named “fseventsd,” was hidden and had the same name as a legitimate process in macOS [2]. It was not signed by Apple and was not flagged as malicious on VirusTotal [2].


The discovery of this modified malware highlights the risks associated with pirated applications on macOS. Users are strongly advised to exercise caution and avoid downloading pirated apps. It is crucial to use reputable software that can detect and block threats on macOS. This incident underscores the need for increased vigilance in protecting the platform and serves as a reminder of the importance of using legitimate software sources to mitigate the risk of malware infections.


[1] https://www.jamf.com/blog/jtl-malware-pirated-applications/
[2] https://www.macworld.com/article/2204631/jamf-malware-pirated-macos-apps-backdoor.html
[3] https://www.darkreading.com/vulnerabilities-threats/stealthy-backdoor-found-hiding-in-pirated-macos-apps