View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 19, 2022updated 05 Aug 2022 6:52am

New spyware CloudMensis targets macOS users

The previously unknown malware is able to bypass macOS security mitigations.

By Claudia Glover

Spyware that targets Apple’s macOS operating system to steal sensitive data has been uncovered by security researchers. Cybercriminals are using the malware, ‘CloudMensis’, to conduct attacks on Mac users, they said.

CloudMensis is being used to target machines running Apple’s macOS operating system. (Photo by

Uncovered by security company ESET, CloudMensis has been deployed by criminals over the past few months against Apple devices. “Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes and screen captures,” Mars-Etienne Léveillé, a researcher at ESET, explained in a report published today.

How CloudMensis infects macOS

The ESET team has not ascertained how the CloudMensis initially infects systems, but once it has done so, it communicates with multiple cloud servers to download other components of the malware. In the sample analysed by the company, it pulled in files from Dropbox, pCloud, and Russian cloud service Yandex Disk.

CloudMensis can bypass the macOS Transparency Consent and Control (TCC) system which is supposed to mitigate against this kind of attack. TCCs are used to block macOS apps from accessing user data. If bypassed the cybercriminal can change the privacy settings for apps on the device, take screenshots or monitor keyboard activities without the user’s knowledge.

The vulnerability through which these TCCs can be bypassed is CVE-2020-9930, a two-year-old exploit for which a patch is available here. “Usage of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximize the success of their spying operation,” the report says. “At the same time, no undisclosed vulnerabilities (zero days) were found to be used by this group during our research. Thus, running an up-to-date Mac is recommended to avoid, at least, the mitigation bypasses.”

The malware comes with the support of numerous commands that can all exfiltrate data from the macOS by accessing documents and removeable storage, taking screenshots and logging keystrokes.

What is CloudMensis being used for?

The first attack using the malware was logged on February 4, but known instances of attacks since then have been scarce.

“We still do not know how CloudMensis is initially distributed and who the targets are,” Léveillé adds. “The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not very advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”

Content from our partners
The growing cybersecurity threats facing retailers
Cloud-based solutions will be key to rebuilding supply chains after global stress and disruption
How to integrate security into IT operations

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit

Read more: How AI will extend the scale and sophistication of cybercrime

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy