Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0312: WireLurker

WireLurker is a family of macOS malware that targets iOS devices connected over USB. [1]

MobileS0312MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

WireLurker matters because it represents a bridge between a macOS endpoint and iOS devices connected over USB. For leaders, the practical risk is not just one malware family; it is whether corporate laptops, unmanaged Macs, and mobile devices can become a cross-device infection path that bypasses normal app-store or network-focused controls.

Executive priority

Prioritize questions around mobile-device trust, USB governance, and endpoint visibility: which Macs are allowed to sync with corporate iOS devices, what evidence exists when a device is connected over USB, and whether security teams can prove that unauthorized or suspicious mobile app installation attempts would be noticed. This is relevant to operational resilience, incident scoping, compliance evidence for device control, and mobile/endpoint incident response readiness.

Technical view

ATT&CK provides no dedicated detection text, platforms, or tactics for this malware object, so validation should be relationship-driven. WireLurker is described as macOS malware targeting iOS devices over USB and is linked to Obfuscated Files or Information and Replication Through Removable Media. SOC and IR teams should test whether they can correlate suspicious macOS file/process activity, obfuscated payload indicators, USB/mobile-device connection events, and mobile application installation or trust changes involving connected iOS devices.

Likely telemetry

  • macOS endpoint process, file, quarantine, and malware/EDR events
  • USB device connection, pairing, sync, or removable-media activity from managed endpoints
  • Mobile device management records for iOS device enrollment, installed applications, profiles, and trust changes
  • File analysis or sandbox results showing encoded, encrypted, compressed, or otherwise obfuscated payloads
  • Incident response artifacts from macOS hosts and connected mobile devices, including timestamps needed to reconstruct device-to-host interaction

Detection direction

  • Confirm whether USB-connected mobile device activity is logged and retained; many environments monitor network and endpoint behavior but have weak visibility into physical device connections.
  • Tune detections for suspicious macOS activity that coincides with iOS device connection or sync events rather than relying on a single malware signature.
  • Use the T1406 relationship to validate analysis coverage for obfuscated files or payloads, while allowing for benign compressed or packaged software as a false-positive source.
  • Use the T1458 relationship to review removable-media and USB-mediated replication assumptions, especially where mobile devices are allowed to connect to corporate or administrator workstations.
  • Because ATT&CK provides no official detection guidance for this object, require local baselining and incident-response validation before treating coverage as reliable.

Mitigation priorities

  • Establish policy and technical controls for which endpoints may connect to corporate mobile devices over USB.
  • Use mobile device management to restrict unauthorized application installation and monitor device trust, profiles, and app inventory where applicable.
  • Maintain endpoint protection and logging on macOS systems that can interact with mobile devices.
  • Include USB/mobile-device connection evidence in incident response collection procedures and audit evidence packages.
  • Review exceptions for developers, administrators, and support staff, since these users may have legitimate USB workflows that require compensating monitoring rather than blanket blocking.
Analyst notes and limits

The strongest decision value is in treating WireLurker as a reminder that mobile compromise can depend on a trusted desktop-to-device relationship. The supplied ATT&CK relationships support attention to obfuscation and USB/removable-media-style replication, but they do not provide tactics, object-specific platforms, or official detection analytics.

This take is limited to the supplied ATT&CK object, external references, and relationships. It does not assert current activity, attribution, impact, or guaranteed detection. Local environment details are required to determine whether macOS endpoints, iOS devices, USB connections, and MDM records are actually monitored.

Official MITRE ATT&CK definition

WireLurker

WireLurker is a family of macOS malware that targets iOS devices connected over USB. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Mobile T1458 Replication Through Removable Media

WireLurker monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.CitationPaloAlto-WireLurker
Mobile T1406 Obfuscated Files or Information

WireLurker obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.CitationPaloAlto-WireLurker
Relationship explorer

All related ATT&CK context

uses · Technique T1458: Replication Through Removable Media Mobile uses · Technique T1406: Obfuscated Files or Information Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a233bbacdc0fdbba...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a233bbacdc0f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    PaloAlto-WireLurker

    Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.

    Open source URL
  2. [2]
    WireLurker

    Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.

    Open source URL
  3. [3]
    mitre-attack S0312
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use