S0277: FruitFly

FruitFly matters because it represents macOS-focused spyware behavior, not just generic malware. For leaders, the key issue is whether Mac endpoints are included in the same detection, investigation, and evidence-retention expectations as Windows systems. The ATT&CK relationships show behaviors associated with discovery, screen capture, persistence through Launch Agents, command obfuscation, file deletion, and hidden files, which can affect confidentiality and incident reconstruction.

Executive priority

Treat this as a macOS visibility and readiness checkpoint. Executives should ask whether security monitoring covers macOS process activity, Launch Agent changes, file-system discovery, screen capture behavior, and attempts to hide or delete artifacts. This is especially relevant where Macs are used by executives, developers, administrators, or other users with access to sensitive data. Because MITRE provides no official detection text for FruitFly, priority should be on validating telemetry and response procedures rather than assuming existing controls provide coverage.

Technical view

SOC and IR teams should validate macOS detection coverage around the related ATT&CK behaviors: T1543.001 Launch Agent persistence, T1057 Process Discovery, T1083 File and Directory Discovery, T1113 Screen Capture, T1027.010 Command Obfuscation, T1070.004 File Deletion, and T1564.001 Hidden Files and Directories. Practical validation should focus on whether endpoint logs preserve process execution context, command lines where available, file creation/modification/deletion events, hidden-file indicators, and Launch Agent plist changes. Since no FruitFly-specific detection guidance is supplied, detection engineering should be behavior-led and scoped to macOS.

Likely telemetry

macOS endpoint process execution telemetry
command-line or script execution details where collected
Launch Agent plist creation or modification events in standard LaunchAgent locations
file and directory enumeration activity
file creation, deletion, and modification events

Detection direction

Confirm macOS hosts are onboarded to endpoint monitoring and are not excluded from managed detection workflows.
Build or validate behavior-based detections for unusual Launch Agent creation or modification, especially when paired with suspicious process execution.
Correlate discovery activity, screen capture behavior, hidden files, and file deletion rather than relying on a single indicator.
Review command-obfuscation analytics for macOS command and scripting activity; tune for administrative false positives.
Ensure file deletion and hidden-file activity are retained long enough to support incident reconstruction.

Mitigation priorities

Prioritize macOS asset coverage in endpoint monitoring, incident response playbooks, and evidence retention.
Harden and monitor Launch Agent locations because the related technique includes macOS persistence through Launch Agents.
Limit unnecessary privileges and review user contexts on high-value Mac systems to reduce the value of discovery and collection activity.
Establish response procedures for suspected spyware behavior, including preservation of volatile process context and file-system artifacts.
Use behavior-focused control validation for discovery, screen capture, hidden files, file deletion, and obfuscated command execution rather than depending on malware name matching alone.

Analyst notes and limits

The supplied ATT&CK object is sparse: FruitFly is described as malware designed to spy on Mac users, with macOS as the only listed platform and no official detection section. The most useful defensive context comes from the relationships to ATT&CK techniques, which indicate the behaviors defenders should validate in macOS telemetry.

This take does not assert current activity, attribution, prevalence, specific indicators, or guaranteed detection. Tactics are not specified on the malware object itself, and mitigation guidance is derived conservatively from the supplied related techniques and platform context. Local logging, EDR configuration, and macOS fleet composition determine actual coverage.

Official MITRE ATT&CK definition

FruitFly

FruitFly is designed to spy on mac users [1].

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 7 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1057	Process Discovery	FruitFly has the ability to list processes on the system.Citationobjsee mac malware 2017
Enterprise	T1070.004	File Deletion Sub-technique	FruitFly will delete files on the system.Citationobjsee mac malware 2017
Enterprise	T1113	Screen Capture	FruitFly takes screenshots of the user's desktop.Citationobjsee mac malware 2017
Enterprise	T1027.010	Command Obfuscation Sub-technique	FruitFly executes and stores obfuscated Perl scripts.Citationobjsee mac malware 2017
Enterprise	T1564.001	Hidden Files and Directories Sub-technique	FruitFly saves itself with a leading "." to make it a hidden file.Citationobjsee mac malware 2017
Enterprise	T1083	File and Directory Discovery	FruitFly looks for specific files and file types.Citationobjsee mac malware 2017
Enterprise	T1543.001	Launch Agent Sub-technique	FruitFly persists via a Launch Agent.Citationobjsee mac malware 2017

Relationship explorer

All related ATT&CK context

uses · Technique T1057: Process Discovery Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1027.010: Command Obfuscation Enterprise uses · Technique T1564.001: Hidden Files and Directories Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1543.001: Launch Agent Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Oct 17, 2018, 00:14 UTC (UTC+00:00)
Modified: Apr 16, 2025, 20:38 UTC (UTC+00:00)
Raw hash: cead3fcd5beaa00c...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Apr 16, 2025, 20:38 UTC (UTC+00:00)	Current bundle	`cead3fcd5bea…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
objsee mac malware 2017

Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
Open source URL
[2]
FruitFly

(Citation: objsee mac malware 2017).
[3]
mitre-attack S0277
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams