S0278: iKitten
Analyst context for executives and security teams
iKitten matters because it represents macOS-focused malware described by ATT&CK as an exfiltration agent. Even though the ATT&CK entry is sparse, its linked behaviors point to a practical risk pattern: discovery of the host and network, persistence through Unix-style startup scripts, credential collection from macOS Keychain or deceptive GUI prompts, packaging of collected data, and use of hidden files or directories. For leaders, the decision point is whether macOS endpoints are covered with the same visibility, credential protection, and response playbooks as Windows and server assets.
Executive priority
Treat this as a macOS resilience and data-protection coverage check. Security leaders should ask whether managed detection, incident response, and audit evidence include macOS endpoint telemetry for persistence, credential access, file hiding, archiving, and suspicious data collection. This is especially relevant where macOS systems handle executive communications, developer credentials, certificates, cloud access, or sensitive business data. Budget and control prioritization should focus on closing macOS blind spots rather than assuming existing endpoint controls provide equivalent coverage across platforms.
Technical view
ATT&CK does not provide detection text for iKitten, so SOC and IR teams should validate coverage through the related techniques: System Network Configuration Discovery, RC Scripts, GUI Input Capture, Process Discovery, Keychain access, Archive via Utility, and Hidden Files and Directories. On macOS, defenders should confirm visibility into process execution, command-line arguments where available, startup script modification, suspicious access to Keychain-related data, creation or use of hidden files and directories, and archive utility execution near sensitive file access. Detection should be behavior-based and correlated, because individual events such as process listing, network configuration checks, or archive creation may be legitimate in isolation.
Likely telemetry
- macOS endpoint process execution and parent-child process context
- Command-line activity for network configuration discovery, process discovery, and archive utilities
- File creation, modification, and permission changes for RC scripts and startup-related paths
- Filesystem evidence of hidden files or hidden directories
- Keychain access events or endpoint telemetry indicating attempts to access stored credentials, certificates, or sensitive application data
Detection direction
- Build detections around combinations of behaviors rather than single indicators: discovery followed by credential access, archive creation, hidden file use, or persistence changes is more meaningful than any one event alone.
- Validate that macOS telemetry is normalized into the SOC pipeline with enough detail to distinguish administrative activity from suspicious scripted behavior.
- Monitor for unauthorized modification of RC scripts and startup-related files, noting that legitimate administrators may also use these mechanisms.
- Review Keychain access monitoring and alerting, with attention to processes that do not normally request credential, certificate, or secure note access.
- Tune archive-utility detections to reduce false positives from normal user compression workflows by considering source process, target paths, timing, and proximity to other discovery or credential-access activity.
Mitigation priorities
- Prioritize macOS endpoint visibility first: ensure process, file, persistence, credential-access, and archive activity are collected and retained for investigation.
- Restrict and monitor administrative/root-level changes required to modify RC scripts and similar startup mechanisms.
- Harden credential handling on macOS by limiting unnecessary Keychain access and reviewing which applications can access stored secrets, certificates, and sensitive data.
- Apply least privilege for users and administrative workflows so malware has less opportunity to persist or access protected credential stores.
- Establish incident response playbooks for macOS that include persistence review, Keychain exposure assessment, hidden file discovery, archive staging review, and data-access scoping.
Analyst notes and limits
The ATT&CK object identifies iKitten as a macOS exfiltration agent and provides relationships to several techniques that give useful defensive direction. The most important operational takeaway is not a specific indicator, but the need to validate macOS coverage for discovery, persistence, credential access, collection preparation, and hiding behavior. Local baselining is essential because many related behaviors can overlap with legitimate administration or user activity.
The supplied ATT&CK object has no official detection text, no listed tactics on the malware object itself, no aliases, and limited description. This take uses only the supplied official description, external references, and relationship context. It does not establish active exploitation, attribution, prevalence, impact, or guaranteed detection coverage. Environment-specific telemetry, asset criticality, and user behavior are required to assess actual risk.
iKitten
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | iKitten will look for the current IP address.Citationobjsee mac malware 2017 |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | iKitten prompts the user for their credentials.Citationobjsee mac malware 2017 |
| Enterprise | T1057 | Process Discovery | iKitten lists the current processes running.Citationobjsee mac malware 2017 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | iKitten will zip up the /Library/Keychains directory before exfiltrating it.Citationobjsee mac malware 2017 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | iKitten saves itself with a leading "." so that it's hidden from users by default.Citationobjsee mac malware 2017 |
| Enterprise | T1555.001 | Keychain Sub-technique | iKitten collects the keychains on the system.Citationobjsee mac malware 2017 |
| Enterprise | T1037.004 | RC Scripts Sub-technique | iKitten adds an entry to the rc.common file for persistence.Citationobjsee mac malware 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d54716185b24… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
objsee mac malware 2017
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
Open source URL -
[2]
OSX/MacDownloader
(Citation: objsee mac malware 2017).
-
[3]
iKitten
(Citation: objsee mac malware 2017).
-
[4]
mitre-attack S0278Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.