View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 19, 2022updated 05 Aug 2022 6:52am

New spyware CloudMensis targets macOS users

The previously unknown malware is able to bypass macOS security mitigations.

By Claudia Glover

Spyware that targets Apple’s macOS operating system to steal sensitive data has been uncovered by security researchers. Cybercriminals are using the malware, ‘CloudMensis’, to conduct attacks on Mac users, they said.

CloudMensis is being used to target machines running Apple’s macOS operating system. (Photo by

Uncovered by security company ESET, CloudMensis has been deployed by criminals over the past few months against Apple devices. “Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes and screen captures,” Mars-Etienne Léveillé, a researcher at ESET, explained in a report published today.

How CloudMensis infects macOS

The ESET team has not ascertained how the CloudMensis initially infects systems, but once it has done so, it communicates with multiple cloud servers to download other components of the malware. In the sample analysed by the company, it pulled in files from Dropbox, pCloud, and Russian cloud service Yandex Disk.

CloudMensis can bypass the macOS Transparency Consent and Control (TCC) system which is supposed to mitigate against this kind of attack. TCCs are used to block macOS apps from accessing user data. If bypassed the cybercriminal can change the privacy settings for apps on the device, take screenshots or monitor keyboard activities without the user’s knowledge.

The vulnerability through which these TCCs can be bypassed is CVE-2020-9930, a two-year-old exploit for which a patch is available here. “Usage of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximize the success of their spying operation,” the report says. “At the same time, no undisclosed vulnerabilities (zero days) were found to be used by this group during our research. Thus, running an up-to-date Mac is recommended to avoid, at least, the mitigation bypasses.”

The malware comes with the support of numerous commands that can all exfiltrate data from the macOS by accessing documents and removeable storage, taking screenshots and logging keystrokes.

What is CloudMensis being used for?

The first attack using the malware was logged on February 4, but known instances of attacks since then have been scarce.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“We still do not know how CloudMensis is initially distributed and who the targets are,” Léveillé adds. “The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not very advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit

Read more: How AI will extend the scale and sophistication of cybercrime

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.