Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0163: Janicab

Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it. [1]

EnterpriseS0163MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Janicab matters because it shows how macOS malware can combine user-assisted installation, valid code signing, scheduled execution, and collection from screens or audio devices. For leaders, the key lesson is not just this specific older trojan, but whether macOS endpoints are covered by the same identity, endpoint, logging, and incident response rigor as Windows systems.

Executive priority

Treat this as a macOS control-validation case. Security leaders should ask whether the organization can prove which signed applications are allowed to run, whether suspicious scheduled jobs on macOS are visible, and whether privacy-sensitive collection such as screen or audio capture would be detected and investigated. This is relevant to business continuity and compliance evidence because signed software and user approval can reduce friction for malware while also complicating audit narratives around endpoint governance.

Technical view

ATT&CK links Janicab to macOS and to Cron, Screen Capture, Audio Capture, and Code Signing. SOC and IR teams should validate visibility into macOS process execution, crontab or scheduled job changes, code-signing metadata, application provenance, and access to microphone/screen-capture capabilities. Detection content should focus on suspicious combinations: newly installed or unusual signed binaries, persistence through cron, and collection behavior involving screenshots or audio files. Because MITRE provides no official detection text for this software entry, local baselining and endpoint telemetry quality are decisive.

Likely telemetry

  • macOS endpoint process execution and command-line telemetry
  • File creation and modification events for cron/crontab-related paths
  • Code-signing and developer ID metadata for executed binaries
  • Application installation and quarantine/provenance metadata where available
  • Screen capture utility/API usage or related process/file artifacts

Detection direction

  • Validate that macOS endpoints are included in managed detection scope, not treated as an exception population.
  • Tune for rare or newly observed signed binaries that also establish cron-based persistence or perform collection behavior.
  • Review false positives carefully: legitimate administrators and applications may use cron, screen capture, audio capture, or signed installers.
  • Correlate code-signing trust with behavior; a valid signature alone should not suppress investigation when persistence or collection indicators are present.
  • Confirm whether privacy-control events and endpoint logs are retained long enough to support incident reconstruction.

Mitigation priorities

  • Maintain macOS application control and software approval processes that evaluate both signing status and business need.
  • Harden and monitor scheduled task mechanisms such as cron on macOS systems.
  • Limit user ability to install unapproved software where business operations allow.
  • Review permissions for microphone and screen capture access, especially for applications without clear business justification.
  • Include macOS persistence, signed-malware triage, and collection-behavior review in incident response playbooks and compliance evidence collection.
Analyst notes and limits

The supplied ATT&CK object describes Janicab as an OS X trojan that relied on a valid developer ID and user installation. Relationship context connects it to cron-based execution/persistence/privilege-escalation, screen capture, audio capture, and code signing. The strongest defensive value is using this object to test macOS visibility and policy enforcement around signed software, scheduled execution, and sensitive data collection.

MITRE provides no official detection guidance, no aliases, and no object-level tactics for Janicab in the supplied fields. This take does not infer current activity, attribution, prevalence, or guaranteed detection. Environment-specific telemetry, macOS versions, endpoint tooling, and local software baselines are required to determine actual exposure and coverage.

Official MITRE ATT&CK definition

Janicab

Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

4 rows
Domain ID Name Relationship / procedure
Enterprise T1053.003 Cron Sub-technique

Janicab used a cron job for persistence on Mac devices.CitationJanicab
Enterprise T1123 Audio Capture

Janicab captured audio and sent it out to a C2 server.Citationf-secure janicabCitationJanicab
Enterprise T1553.002 Code Signing Sub-technique

Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions.CitationJanicab
Enterprise T1113 Screen Capture

Janicab captured screenshots and sent them out to a C2 server.Citationf-secure janicabCitationJanicab
Relationship explorer

All related ATT&CK context

uses · Technique T1053.003: Cron Enterprise uses · Technique T1123: Audio Capture Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Technique T1113: Screen Capture Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
57cd6267daa7caf0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 57cd6267daa7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Janicab

    Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.

    Open source URL
  2. [2]
    mitre-attack S0163
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use