S1016: MacMa
MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[1] MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.[2]
Analyst context for executives and security teams
MacMa matters because it represents a macOS backdoor with broad post-compromise capability: file control and exfiltration, discovery, keylogging, screen/audio capture, persistence, and C2 activity. For leaders, the practical issue is whether macOS endpoints are monitored and governed with the same rigor as Windows systems, especially where executives, developers, administrators, journalists, NGO/government users, or telecom-related staff handle sensitive data.
Executive priority
Prioritize MacMa as a validation case for macOS security readiness rather than as a standalone malware name. ATT&CK links it to Daggerfly and to behaviors that affect confidentiality, credential exposure, persistence, and data loss. Executives should ask whether macOS telemetry supports incident reconstruction, whether Keychain and remote service misuse are monitored, whether C2/exfiltration paths are visible, and whether endpoint controls provide audit-ready evidence for regulated or high-sensitivity users.
Technical view
MacMa is documented for macOS and is related to techniques across discovery, collection, credential access, execution, persistence, defense evasion/impairment, command and control, lateral movement, and exfiltration. SOC and IR teams should validate coverage for Launch Agents, Gatekeeper and code-signing anomalies, Keychain access, shell execution, file and directory enumeration, process/user/system/network discovery, local data staging, file deletion, timestomping, tool transfer, non-application-layer C2, and exfiltration over C2. No official ATT&CK detection guidance is provided for this software object, so detections should be built from the related technique behaviors and local macOS baselines.
Likely telemetry
- macOS endpoint process execution and command-line telemetry
- Launch Agent plist creation or modification events
- File system telemetry for staging, deletion, timestamp changes, and unusual access to sensitive user files
- Keychain access events where available
- Network telemetry for outbound C2-like connections and non-application-layer protocol use
Detection direction
- Map detections to the related ATT&CK techniques instead of relying on a MacMa-specific signature, because the object provides no official detection text.
- Baseline normal macOS Launch Agent creation, shell usage, Keychain access, and developer/admin tooling to reduce false positives.
- Correlate discovery commands, file staging, screen/audio capture indicators, and outbound network activity into post-compromise behavior chains.
- Review visibility gaps around macOS privacy permissions, Gatekeeper/quarantine metadata, and code-signing trust decisions.
- Tune network monitoring for unusual outbound protocols or C2/exfiltration patterns, while recognizing that protocol-level evidence alone may be noisy.
Mitigation priorities
- Ensure macOS endpoints are included in managed detection, EDR, logging, and incident response playbooks.
- Harden and monitor Launch Agents, remote services, Keychain access, and application execution trust controls such as Gatekeeper and code signing.
- Apply least privilege and strong identity controls for users with access to sensitive files or remote services.
- Restrict unnecessary outbound communications and monitor for suspicious tool transfer and exfiltration paths.
- Retain sufficient endpoint and network logs to support investigation of file access, staging, deletion, timestomping, and C2 activity.
Analyst notes and limits
ATT&CK describes MacMa as a macOS backdoor observed since November 2021, with shared C2 and unique libraries with MgBot and Nightdoor indicating a relationship with Daggerfly. The most useful defensive value is as a macOS coverage assessment across credential access, collection, persistence, evasion, C2, and exfiltration behaviors.
The supplied ATT&CK object does not include official detection guidance, aliases, labels, or object-level tactics. Conclusions about exposure, active exploitation, successful detection, or attribution require local telemetry and incident evidence beyond the supplied fields.
MacMa
MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[1] MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | MacMa can collect the username from the compromised machine.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1082 | System Information Discovery | MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, and macOS version.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1095 | Non-Application Layer Protocol | MacMa has used a custom JSON-based protocol for its C&C communications.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1553.002 | Code Signing Sub-technique | MacMa has been delivered using ad hoc Apple Developer code signing certificates.CitationSentinelOne Macma 2021 |
| Enterprise | T1113 | Screen Capture | MacMa has used Apple’s Core Graphic APIs, such as `CGWindowListCreateImageFromArray`, to capture the user's screen and open windows.CitationESET DazzleSpy Jan 2022CitationObjective-See MacMa Nov 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | MacMa can collect IP addresses from a compromised host.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | MacMa has stored collected files locally before exfiltration.CitationObjective-See MacMa Nov 2021 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | MacMa installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, MacMa is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the MacMa only runs when there is a logged in GUI user.CitationESET DazzleSpy Jan 2022CitationObjective-See MacMa Nov 2021 |
| Enterprise | T1005 | Data from Local System | MacMa can collect then exfiltrate files from the compromised system.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1021 | Remote Services | MacMa can manage remote screen sessions.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1106 | Native API | MacMa has used macOS API functions to perform tasks.CitationESET DazzleSpy Jan 2022CitationObjective-See MacMa Nov 2021 |
| Enterprise | T1123 | Audio Capture | MacMa has the ability to record audio.CitationObjective-See MacMa Nov 2021 |
| Enterprise | T1555.001 | Keychain Sub-technique | MacMa can dump credentials from the macOS keychain.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | MacMa exfiltrates data from a supplied path over its C2 channel.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1057 | Process Discovery | MacMa can enumerate running processes.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1070.006 | Timestomp Sub-technique | MacMa has the capability to create and modify file timestamps.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1571 | Non-Standard Port | MacMa has used TCP port 5633 for C2 Communication.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | MacMa decrypts a downloaded file using AES-128-EBC with a custom delta.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1056.001 | Keylogging Sub-technique | MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.CitationObjective-See MacMa Nov 2021CitationSentinelOne MacMa Nov 2021 |
| Enterprise | T1685.006 | Clear Linux or Mac System Logs Sub-technique | MacMa can clear possible malware traces such as application logs.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | MacMa can execute supplied shell commands and uses bash scripts to perform additional actions.CitationESET DazzleSpy Jan 2022CitationObjective-See MacMa Nov 2021 |
| Enterprise | T1680 | Local Storage Discovery | MacMa can collect information about a compromised computer's disk sizes.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1553.001 | Gatekeeper Bypass Sub-technique | MacMa has removed the `com.apple.quarantineattribute` from the dropped file, `$TMPDIR/airportpaird`.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | MacMa has downloaded additional files, including an exploit for used privilege escalation.CitationESET DazzleSpy Jan 2022CitationObjective-See MacMa Nov 2021 |
| Enterprise | T1573 | Encrypted Channel | MacMa has used TLS encryption to initialize a custom protocol for C2 communications.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1083 | File and Directory Discovery | MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.CitationESET DazzleSpy Jan 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | MacMa can delete itself from the compromised computer.CitationESET DazzleSpy Jan 2022 |
Groups, software, and campaigns
G1034: Daggerfly
Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 93b0a80527ee… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET DazzleSpy Jan 2022
M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
Open source URL -
[2]
Symantec Daggerfly 2024
Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
Open source URL -
[3]
DazzleSpy
(Citation: ESET DazzleSpy Jan 2022)
-
[4]
OSX.CDDS
(Citation: Objective-See MacMa Nov 2021)
-
[5]
Objective-See MacMa Nov 2021
Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
Open source URL -
[6]
mitre-attack S1016Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.