S0274: Calisto
Analyst context for executives and security teams
Calisto is a macOS Trojan described by ATT&CK as opening a backdoor on a compromised machine. Its ATT&CK relationships make it material beyond “Mac malware”: the mapped behaviors include local data collection, browser and network discovery, Keychain credential access, local account creation, Launch Agent persistence, launchctl execution, hiding/deleting files, staging and archiving data, and tool transfer. For leaders, this is a reminder that macOS endpoints need the same identity, credential, persistence, and data-loss visibility expected on other enterprise platforms.
Executive priority
Prioritize validation of macOS security coverage where executives, developers, administrators, or privileged users operate from Macs. The business risk is not just device infection; the mapped behaviors touch credential exposure, persistent access, local data theft preparation, and account manipulation. Ask whether SOC, IR, and audit teams can prove visibility into macOS persistence, Keychain-related access, local account changes, suspicious file staging, and outbound tool transfer rather than relying on Windows-centric controls.
Technical view
ATT&CK provides no official detection text for Calisto, so defenders should validate coverage through the related techniques. On macOS, focus on Launch Agent and launchctl activity, creation or modification of local accounts, attempts to access Keychain material, browser information discovery, local file enumeration and staging, archive utility usage, hidden files/directories, file deletion, and inbound file/tool transfer. Detection engineering should correlate these behaviors rather than depend on a single malware name, especially because masquerading as legitimate resource names or locations is included in the mapped behavior set.
Likely telemetry
- macOS endpoint process execution events, including launchctl and archive utilities
- File system events for hidden files/directories, suspicious staging locations, file deletion, and newly written tools
- Launch Agent plist creation or modification under macOS LaunchAgents paths
- Local account creation and account/permission change records
- Keychain access-related security events where available
Detection direction
- Build behavior-based detections around the related ATT&CK techniques rather than Calisto-specific naming alone.
- Correlate Launch Agent persistence with launchctl execution, suspicious file paths, hidden files, or recently downloaded payloads.
- Tune for legitimate administrative software that uses launchctl, compression utilities, or account management commands to reduce false positives.
- Review whether macOS Keychain and browser-data access are visible enough for investigation; these are common blind spots compared with process and network logs.
- Look for sequences: discovery, collection from local system, staging, archive creation, deletion/cleanup, and outbound transfer.
Mitigation priorities
- Ensure macOS endpoints are included in managed detection, EDR, logging, and incident response playbooks.
- Harden and monitor Launch Agents and launchctl usage, especially for nonstandard plist locations, unusual users, or suspicious executable paths.
- Apply least privilege and review local administrator rights to reduce account manipulation and local account persistence risk.
- Protect credential stores by limiting unnecessary access to Keychain data and investigating unexpected access patterns.
- Control and monitor download/execution of untrusted tools and files on macOS systems.
Analyst notes and limits
The ATT&CK object identifies Calisto as a macOS backdoor Trojan believed to have first been developed in 2016 and provides relationships to multiple techniques spanning discovery, collection, credential access, persistence, execution, command and control, and stealth. The object itself has no ATT&CK tactics listed and no official detection guidance, so defensive value comes from validating telemetry and controls against the mapped techniques.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, attribution, victim exposure, or guaranteed detection. Local environment evidence is required to determine whether Calisto-like behaviors are visible, suspicious, or already controlled in a given organization.
Calisto
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543.001 | Launch Agent Sub-technique | Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.CitationSecurelist Calisto July 2018 |
| Enterprise | T1217 | Browser Information Discovery | Calisto collects information on bookmarks from Google Chrome.CitationSecurelist Calisto July 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | Calisto runs the |
| Enterprise | T1105 | Ingress Tool Transfer | Calisto has the capability to upload and download files to the victim's machine.CitationSymantec Calisto July 2018 |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | Calisto presents an input prompt asking for the user's login and password.CitationSymantec Calisto July 2018 |
| Enterprise | T1005 | Data from Local System | Calisto can collect data from user directories.CitationSecurelist Calisto July 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Calisto has the capability to use |
| Enterprise | T1569.001 | Launchctl Sub-technique | Calisto uses launchctl to enable screen sharing on the victim’s machine.CitationSecurelist Calisto July 2018 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Calisto uses the |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Calisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.CitationSecurelist Calisto July 2018 |
| Enterprise | T1555.001 | Keychain Sub-technique | Calisto collects Keychain storage data and copies those passwords/tokens to a file.CitationSecurelist Calisto July 2018CitationSymantec Calisto July 2018 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.CitationSecurelist Calisto July 2018CitationSymantec Calisto July 2018 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.CitationSecurelist Calisto July 2018CitationSymantec Calisto July 2018 |
| Enterprise | T1098 | Account Manipulation | Calisto adds permissions and remote logins to all users.CitationSymantec Calisto July 2018 |
| Enterprise | T1136.001 | Local Account Sub-technique | Calisto has the capability to add its own account to the victim's machine.CitationSymantec Calisto July 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0a59c4aa836c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Securelist Calisto July 2018
Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
Open source URL -
[2]
Symantec Calisto July 2018
Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
Open source URL -
[3]
Calisto
(Citation: Securelist Calisto July 2018) (Citation: Symantec Calisto July 2018)
-
[4]
mitre-attack S0274Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.