S0282: MacSpy
Analyst context for executives and security teams
MacSpy matters because it is described by ATT&CK as macOS malware-as-a-service and is linked to behaviors that can expose credentials and sensitive user activity: keylogging, screen capture, clipboard collection, audio capture, persistence through Launch Agents, hiding files, deleting traces, and web-based command-and-control that may use multi-hop proxying. For leaders, the practical issue is not only “Mac malware exists,” but whether macOS endpoints are covered by the same monitoring, response, and evidence standards as Windows systems.
Executive priority
Prioritize MacSpy as a validation case for macOS endpoint resilience and incident readiness. It touches credential-access and collection behaviors that can affect executive devices, privileged users, developers, and staff handling sensitive data. Security leaders should ask whether macOS telemetry is collected, retained, and actionable for investigations; whether privacy-sensitive signals such as screen, microphone, clipboard, and keystroke access are governed; and whether Launch Agent persistence and suspicious web-protocol traffic are visible enough to support audit and incident response decisions.
Technical view
ATT&CK does not provide a detection analytic for MacSpy, so SOC and detection teams should validate coverage against the related techniques: T1056.001 Keylogging, T1113 Screen Capture, T1115 Clipboard Data, T1123 Audio Capture, T1543.001 Launch Agent, T1564.001 Hidden Files and Directories, T1070.004 File Deletion, T1071.001 Web Protocols, and T1090.003 Multi-hop Proxy. Focus on macOS host evidence for persistence, suspicious file creation/deletion or hidden paths, and unusual access to user input or capture capabilities, then correlate with outbound HTTP/S or other web-protocol traffic that does not match expected application behavior.
Likely telemetry
- macOS endpoint process execution and parent/child process activity
- Launch Agent plist creation or modification in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents where available
- File-system events for hidden files/directories and suspicious file deletion
- Endpoint security or EDR events showing access to keyboard input, screenshots, clipboard contents, microphone, or related capture APIs where available
- Network telemetry for outbound web-protocol traffic from macOS hosts
Detection direction
- Use the relationship set as the detection map: persistence through Launch Agents plus collection behaviors plus web-protocol command-and-control is more meaningful than any single event alone.
- Tune for macOS-specific persistence changes, especially newly created or modified Launch Agent plist files tied to unusual binaries, hidden paths, or unexpected user contexts.
- Correlate capture-related activity with outbound network sessions; screen, clipboard, audio, or keylogging indicators become higher priority when followed by unusual web-protocol traffic.
- Expect blind spots if macOS endpoint logging, privacy-permission telemetry, DNS/proxy logging, or file-system monitoring is incomplete.
- Avoid over-alerting on legitimate administration, collaboration, accessibility, and security tools that may use screen, microphone, clipboard, or input-monitoring capabilities; require context such as signer, path, user, frequency, and network destination.
Mitigation priorities
- Ensure macOS endpoints are included in managed detection, endpoint protection, asset inventory, and incident response playbooks.
- Harden and monitor Launch Agent locations and review unauthorized persistence mechanisms during macOS investigations.
- Apply least privilege and review macOS privacy/accessibility permissions for applications that can monitor input, capture screens, access microphones, or read clipboard data.
- Maintain centralized DNS, proxy, firewall, and endpoint telemetry for macOS systems to support command-and-control investigation over web protocols.
- Use security awareness and software control processes to reduce exposure to untrusted macOS software, while recognizing ATT&CK only identifies MacSpy as malware-as-a-service and does not provide an initial access method here.
Analyst notes and limits
The official ATT&CK entry for MacSpy is sparse: it identifies the software as macOS malware-as-a-service offered on the darkweb and provides relationships to several ATT&CK techniques. The strongest defensive value is using those relationships to test macOS monitoring and response coverage across credential access, collection, persistence, stealth, and command-and-control.
No official ATT&CK detection text, aliases, labels, or malware-specific tactics were provided for this object. This take does not assert active exploitation, attribution, prevalence, customer exposure, or guaranteed detectability. Local validation is required to determine whether the organization collects the telemetry needed to detect or investigate these behaviors.
MacSpy
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | MacSpy deletes any temporary files it createsCitationalientvault macspy |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | MacSpy uses HTTP for command and control.Citationobjsee mac malware 2017 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | MacSpy persists via a Launch Agent.Citationobjsee mac malware 2017 |
| Enterprise | T1115 | Clipboard Data | MacSpy can steal clipboard contents.Citationobjsee mac malware 2017 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | MacSpy stores itself in |
| Enterprise | T1123 | Audio Capture | MacSpy can record the sounds from microphones on a computer.Citationobjsee mac malware 2017 |
| Enterprise | T1113 | Screen Capture | MacSpy can capture screenshots of the desktop over multiple monitors.Citationobjsee mac malware 2017 |
| Enterprise | T1056.001 | Keylogging Sub-technique | MacSpy captures keystrokes.Citationobjsee mac malware 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b479d4e8e828… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
objsee mac malware 2017
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
Open source URL -
[2]
MacSpy
(Citation: objsee mac malware 2017).
-
[3]
mitre-attack S0282Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.