![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Blue Archive tier list [April 2025]](https://media.pocketgamer.com/artwork/na-33404-1636469504/blue-archive-screenshot-2.jpg?#)
.png?#)
-Baldur’s-Gate-3-The-Final-Patch---An-Animated-Short-00-03-43.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Alleged Pixel 10 series wallpapers leak with vibrant colors and a strange new theme [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/04/pixel-10-wallpaper-leak-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![Apple's Foldable iPhone May Cost Between $2100 and $2300 [Rumor]](https://www.iclarified.com/images/news/97028/97028/97028-640.jpg)
![Apple Releases Public Betas of iOS 18.5, iPadOS 18.5, macOS Sequoia 15.5 [Download]](https://www.iclarified.com/images/news/97024/97024/97024-640.jpg)
![Apple to Launch In-Store Recycling Promotion Tomorrow, Up to $20 Off Accessories [Gurman]](https://www.iclarified.com/images/news/97023/97023/97023-640.jpg)
New PasivRobber Malware Steals Data From macOS Systems and Applications
A sophisticated Chinese spyware suite dubbed “PasivRobber” that targets macOS devices, with particular focus on harvesting data from communication applications popular among Chinese users. The multi-binary malware package demonstrates advanced technical capabilities for data exfiltration and persistence. On March 13, 2025, security researchers identified a suspicious mach-O file named “wsus” on VirusTotal, which led to […] The post New PasivRobber Malware Steals Data From macOS Systems and Applications appeared first on Cyber Security News.
A sophisticated Chinese spyware suite dubbed “PasivRobber” that targets macOS devices, with particular focus on harvesting data from communication applications popular among Chinese users.
The multi-binary malware package demonstrates advanced technical capabilities for data exfiltration and persistence.
On March 13, 2025, security researchers identified a suspicious mach-O file named “wsus” on VirusTotal, which led to the discovery of over 20 related binaries designed to capture data from macOS systems and applications.
Upon further analysis, researchers determined the malware primarily targets WeChat, QQ, web browsers, and email applications.
“The software’s targeted applications and observed network connections strongly indicate both a Chinese origin and target user base,” kandji researchers said.
Technical Implementation and Capabilities
PasivRobber employs sophisticated obfuscation techniques, including deceptive naming strategies.
The main binary “goed” appears to be deliberately named to resemble Apple’s legitimate “geod” daemon, while the malware also conceals plugin libraries by using incorrect file extensions (.gz instead of .dylib).
The malware establishes persistence through a LaunchDaemon configured with the following code:
This ensures the malware launches automatically whenever the system boots.
Multi-Component Architecture
PasivRobber operates through three main components that work in concert:-
goed: The primary executable launched via LaunchDaemon that initiates the infection chain by executing wsus
wsus: Handles remote actions including updates via FTP and uninstall functionality via RPC messages
center: Functions as an agent performing on-device actions including system information collection
The malware deploys specialized “Robber” dylibs—including libWXRobber.dylib, libNTQQRobber.dylib, and libQQRobber.dylib—that target specific applications to steal credentials and communications data.
PasivRobber uses sophisticated injection techniques to access data within messaging applications. The binary “apse” injects malicious libraries into targeted apps, with commands such as:
The malware leverages frida scripts to hook into application processes, allowing it to intercept communications and extract encryption keys.
The threat comes bundled with 28 plugins (named “zero_*” files) that target various data sources, enabling comprehensive surveillance:-
- Web browser history and saved passwords
- Email messages and contacts
- Chat conversations from WeChat and QQ
- Cloud storage credentials
- System information and screenshots
OSINT research links the malware to “Xiamen Meiya Yian Information Technology Co,” which is connected to Meiya Pico, an organization previously identified by the U.S. Treasury as developing surveillance technology for the Chinese government.
The malware’s sophisticated capabilities, extensive data collection functions, and version checks for systems below macOS 14.4.1 suggest active development and deployment for targeted surveillance operations.
Security experts recommend keeping macOS systems updated to the latest version and monitoring for suspicious processes and network connections to defend against this evolving threat.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
The post New PasivRobber Malware Steals Data From macOS Systems and Applications appeared first on Cyber Security News.
