S0161: XAgentOSX
Analyst context for executives and security teams
XAgentOSX matters because it represents a macOS trojan associated in ATT&CK with APT28 and described as a port of the CHOPSTICK/XAgent tool family. For leaders, the key takeaway is not just “Mac malware exists,” but that macOS endpoints can be part of espionage-style intrusion workflows involving discovery, credential collection, screen capture, command-and-control over file transfer protocols, and cleanup. Organizations that treat macOS as lower-risk or less-monitored may have material blind spots in executive, engineering, legal, communications, or other high-value user populations.
Executive priority
Prioritize validation of macOS visibility and response readiness where business-critical users or sensitive data reside. This object supports risk discussions around identity protection, endpoint monitoring parity, and incident response evidence: can the organization prove what a compromised Mac user did, what credentials may have been exposed, what files were enumerated, and whether traces were deleted? Budget and control decisions should focus on closing macOS telemetry gaps rather than assuming Windows-centric coverage is sufficient.
Technical view
ATT&CK lists XAgentOSX for macOS and relates it to behaviors including System Owner/User Discovery, Process Discovery, System Information Discovery, File and Directory Discovery, Native API execution, Keylogging, Screen Capture, Credentials from Web Browsers, File Transfer Protocols for command-and-control, and File Deletion. SOC and IR teams should validate whether macOS endpoint, process, file, browser credential-store, screen-capture, input-monitoring, and network telemetry can support investigation across these behaviors. Because the official detection field is not provided, detection engineering should be behavior-led and mapped to the related techniques rather than signature-only.
Likely telemetry
- macOS endpoint process execution and parent/child process context
- macOS file creation, access, enumeration, and deletion events
- user/session context showing logged-in or primary users
- system inventory and host profiling data such as OS version and hardware details
- network telemetry for file transfer protocol usage and unusual external destinations
Detection direction
- Confirm macOS endpoints are in scope for managed detection, not only Windows and server assets.
- Build or tune behavior analytics around clusters of discovery activity followed by collection or credential-access behaviors, rather than treating each command or file access in isolation.
- Review use of file transfer protocols from macOS hosts, especially when uncommon for the user, process, or business role.
- Validate visibility into screen capture and keylogging-relevant behaviors, while accounting for legitimate remote support, accessibility tools, conferencing software, and administrative utilities as false-positive sources.
- Monitor suspicious access to browser credential storage locations where telemetry and privacy/legal constraints allow.
Mitigation priorities
- Establish endpoint security and logging parity for macOS systems used by privileged, executive, engineering, legal, communications, or other sensitive users.
- Harden identity exposure by reducing saved browser credentials where feasible, enforcing strong authentication, and preparing credential reset workflows for macOS compromise scenarios.
- Restrict and review macOS permissions for screen recording, input monitoring, accessibility access, and similar privacy-sensitive capabilities.
- Baseline legitimate file transfer protocol usage and limit unnecessary outbound pathways where business operations permit.
- Ensure incident response playbooks include macOS evidence preservation, user credential exposure assessment, browser artifact review, and file deletion analysis.
Analyst notes and limits
The supplied ATT&CK object identifies XAgentOSX as a macOS trojan used by APT28 and apparently related to CHOPSTICK/XAgent. The most useful defensive value comes from its related behaviors: discovery, credential access, collection, command-and-control, execution via native APIs, and stealth through file deletion. For Glexia-style planning, this is a prompt to verify macOS telemetry depth, identity blast-radius procedures, and SOC playbooks for non-Windows endpoints.
The official ATT&CK detection field is not provided, tactics are not specified on the malware object itself, and the supplied data does not include indicators, hashes, infrastructure, active campaign details, or guaranteed detection logic. Any assessment of exposure, exploitation, attribution, or control effectiveness requires local telemetry and incident evidence.
XAgentOSX
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.CitationXAgentOSX 2017 |
| Enterprise | T1033 | System Owner/User Discovery | XAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user.CitationXAgentOSX 2017 |
| Enterprise | T1083 | File and Directory Discovery | XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.CitationXAgentOSX 2017 XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.CitationXAgentOSX 2017 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.CitationXAgentOSX 2017 |
| Enterprise | T1057 | Process Discovery | XAgentOSX contains the getProcessList function to run |
| Enterprise | T1113 | Screen Capture | XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods.CitationXAgentOSX 2017 |
| Enterprise | T1082 | System Information Discovery | XAgentOSX contains the getInstalledAPP function to run |
| Enterprise | T1070.004 | File Deletion Sub-technique | XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.CitationXAgentOSX 2017 |
| Enterprise | T1106 | Native API | XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.CitationXAgentOSX 2017 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 201bcd5d15bc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
XAgentOSX 2017
Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
Open source URL -
[2]
OSX.Sofacy
(Citation: Symantec APT28 Oct 2018)
-
[3]
Symantec APT28 Oct 2018
Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
Open source URL -
[4]
XAgentOSX
(Citation: XAgentOSX 2017)
-
[5]
mitre-attack S0161Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.