Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0276: Keydnap

This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [1].

EnterpriseS0276MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Keydnap is a macOS malware entry focused on credential theft from the user keychain while maintaining a persistent backdoor. Its business significance is that a compromised Mac can become both an identity breach point and a long-lived access foothold, especially where keychains contain user, Wi-Fi, mail, browser, certificate, or other stored secrets.

Executive priority

Prioritize this behavior where macOS systems are used by privileged users, administrators, developers, executives, or staff with access to sensitive SaaS, cloud, VPN, or certificate-based workflows. The ATT&CK relationships point to practical risk areas leaders should ask about: macOS persistence visibility, keychain and securityd protection, user credential prompt abuse, Python/script execution governance, and whether web-based command-and-control traffic can be investigated with enough context for incident response and audit evidence.

Technical view

For SOC, detection engineering, and IR teams, validate macOS coverage around the related techniques: Launch Agent persistence, suspicious setuid/setgid abuse, Python execution, GUI credential prompt mimicry, Securityd Memory access, resource fork hiding, filename-extension deception using a trailing space, and outbound web-protocol command-and-control that may traverse proxies. Because the ATT&CK object provides no official detection text, coverage should be proven through local telemetry tests, baselines, and incident playbooks rather than assumed from control presence.

Likely telemetry

  • macOS endpoint process execution, including Python interpreter and script activity
  • Launch Agent plist creation or modification in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents
  • File metadata and extended attributes that can reveal resource forks
  • Filesystem events involving unusual filenames, including trailing-space extension deception patterns
  • Privilege and file-permission changes involving setuid or setgid bits

Detection direction

  • Build detections around combinations of behaviors rather than one indicator: Launch Agent persistence plus unusual Python execution, credential prompting, keychain/securityd access, or suspicious outbound web traffic is higher value than any single event.
  • Tune for macOS-specific blind spots, including per-user LaunchAgents, extended attributes/resource forks, and filename presentation tricks that may not be obvious in standard file listings.
  • Baseline legitimate administrative use of Python, Launch Agents, and setuid/setgid binaries to reduce false positives while preserving visibility into new, user-writable, or unusual locations.
  • Ensure network monitoring can investigate web-protocol command-and-control without relying only on source attribution, since the related Multi-hop Proxy technique means the visible remote endpoint may not represent the original operator infrastructure.
  • Because MITRE supplies no official detection guidance for this object, require validation through controlled defensive testing, retrospective hunting, and IR evidence collection on representative macOS systems.

Mitigation priorities

  • Harden macOS identity exposure first: minimize stored secrets where feasible, protect privileged accounts, and ensure rapid credential rotation procedures exist for suspected keychain theft.
  • Restrict and monitor persistence paths, especially user and system LaunchAgents, with change control for approved management tools.
  • Review privilege boundaries and file permissions to reduce unnecessary setuid/setgid exposure on macOS systems.
  • Govern scripting execution, including Python, through approved administrative workflows and endpoint monitoring rather than unmanaged local execution.
  • Improve user-awareness and helpdesk workflows for unexpected credential prompts, especially prompts appearing after opening downloaded or unusual files.
Analyst notes and limits

The available ATT&CK object is sparse: Keydnap is described as macOS malware that steals user keychain content and maintains a permanent backdoor, with no official detection section and no tactics listed directly on the malware object. The strongest defensive context comes from its ATT&CK relationships to techniques covering stealth, execution, command-and-control, persistence, privilege escalation, collection, and credential access.

This take uses only the supplied ATT&CK fields, references, and relationships. It does not assert current activity, attribution, prevalence, specific indicators, customer exposure, or guaranteed detection. Local macOS configuration, endpoint tooling, identity architecture, and logging retention determine actual risk and coverage.

Official MITRE ATT&CK definition

Keydnap

This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [1].

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1090.003 Multi-hop Proxy Sub-technique

Keydnap uses a copy of tor2web proxy for HTTPS communications.Citationsynack 2016 review
Enterprise T1071.001 Web Protocols Sub-technique

Keydnap uses HTTPS for command and control.Citationsynack 2016 review
Enterprise T1555.002 Securityd Memory Sub-technique

Keydnap uses the keychaindump project to read securityd memory.Citationsynack 2016 review
Enterprise T1564.009 Resource Forking Sub-technique

Keydnap uses a resource fork to present a macOS JPEG or text file icon rather than the executable's icon assigned by the operating system.CitationOSX Keydnap malware
Enterprise T1548.001 Setuid and Setgid Sub-technique

Keydnap adds the setuid flag to a binary so it can easily elevate in the future.CitationOSX Keydnap malware
Enterprise T1056.002 GUI Input Capture Sub-technique

Keydnap prompts the users for credentials.Citationsynack 2016 review
Enterprise T1036.006 Space after Filename Sub-technique

Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.Citationsynack 2016 review
Enterprise T1059.006 Python Sub-technique

Keydnap uses Python for scripting to execute additional commands.Citationsynack 2016 review
Enterprise T1543.001 Launch Agent Sub-technique

Keydnap uses a Launch Agent to persist.Citationsynack 2016 review
Relationship explorer

All related ATT&CK context

uses · Technique T1090.003: Multi-hop Proxy Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1555.002: Securityd Memory Enterprise uses · Technique T1564.009: Resource Forking Enterprise uses · Technique T1548.001: Setuid and Setgid Enterprise uses · Technique T1056.002: GUI Input Capture Enterprise uses · Technique T1036.006: Space after Filename Enterprise uses · Technique T1059.006: Python Enterprise uses · Technique T1543.001: Launch Agent Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
950e4f52e249eea5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 950e4f52e249…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    OSX Keydnap malware

    Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.

    Open source URL
  2. [2]
    Keydnap

    (Citation: synack 2016 review)

  3. [3]
    OSX/Keydnap

    (Citation: OSX Keydnap malware)

  4. [4]
    mitre-attack S0276
    Open source URL
  5. [5]
    synack 2016 review

    Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.

    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use