macOS 'Living off the Land' Attacks
- Reports show attackers increasingly misuse native macOS tools and metadata to evade detection in enterprise settings. - These techniques abuse signed internal tooling and automation metadata to make malicious activity appear legitimate. - The research frames macOS trust and native-tool legitimacy themselves as attack surfaces, complicating detection and response (infosecurity-magazine.com).
On a Mac, “living off the land” means using the computer’s own built-in tools as cover — and Cisco Talos says attackers are now doing that on macOS to run code and move around enterprise networks. (blog.talosintelligence.com) Talos published the research on April 21, 2026, and said attackers can repurpose Remote Application Scripting, a native feature for controlling apps, to execute actions remotely on other Macs. The same report said Spotlight metadata, including Finder comments, can be abused to stage payloads in ways that evade static file scanning. (blog.talosintelligence.com) The researchers also said attackers can transfer tools and maintain access with built-in protocols such as Server Message Block, Netcat, Git, Trivial File Transfer Protocol, and Simple Network Management Protocol. Those paths can sit outside the Secure Shell logs and telemetry many security teams watch most closely. (blog.talosintelligence.com) This is landing as Macs have become standard work machines for developers and operations teams, not just design departments. Talos said more than 45% of organizations now use macOS in enterprise environments, and Stack Overflow’s 2024 survey found about one-third of professional developers use macOS as their primary platform. (blog.talosintelligence.com) Those machines often hold source code, cloud credentials, Secure Shell keys, browser sessions, and admin access. Microsoft said on April 1, 2026 that macOS infostealer campaigns observed since late 2025 were built to steal browser data, cookies, session tokens, and cloud-service keys that can lead to account takeover and follow-on intrusions. (techcommunity.microsoft.com) The trust problem is not limited to Apple’s own tools. Jamf Threat Labs said in July 2025 that it found an Odyssey stealer sample that was both code-signed and notarized with a valid Apple Developer ID, which meant macOS security controls were less likely to block it at launch. (jamf.com) Jamf reported a similar shift on December 22, 2025 with MacSync Stealer, describing a signed and notarized Swift app delivered in a disk image that fetched an encoded script from a remote server and ran it without the old drag-to-Terminal trick. Jamf said the certificate tied to that sample was later revoked after it reported the abuse to Apple. (jamf.com) Attackers have also been hiding code in macOS metadata itself. Group-IB research covered by Infosecurity Magazine in November 2024 said Lazarus used extended attributes — extra file metadata fields in macOS — to smuggle malicious code and keep it concealed from some defenses. (infosecurity-magazine.com) Talos said defenders need to spend less time assuming native activity is benign and more time watching how processes relate to each other, how apps talk across the system, and which administrative services mobile-device-management policies still leave enabled. On macOS, the signed tool, the Finder metadata field, and the built-in remote feature can all become part of the intrusion path. (blog.talosintelligence.com)
