S1153: Cuckoo Stealer
Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]
Analyst context for executives and security teams
Cuckoo Stealer matters because it targets macOS endpoints with spyware and information-stealing behavior, including relationships to credential access, collection, discovery, persistence, stealth, command-and-control, and exfiltration techniques. For leaders, the key issue is not only malware removal; it is whether Mac fleets have enough visibility to prove what data, credentials, browser information, screenshots, and local files may have been exposed after a trojanized application is run.
Executive priority
Prioritize this as a macOS endpoint, identity, and incident-response readiness concern. The ATT&CK relationships point to Keychain access, GUI input capture, browser information discovery, local staging, and exfiltration over C2 channels, so response decisions may require credential reset scope, user privacy/data exposure review, and evidence collection from Mac hosts. Executives should ask whether managed detection, device management, and logging cover both Intel and Apple Silicon Macs, because the official description identifies Cuckoo Stealer as a universal Mach-O binary spread through trojanized PUP-like applications such as converters, cleaners, and uninstallers.
Technical view
SOC and IR teams should validate macOS telemetry around suspicious application execution, AppleScript and Unix shell activity, launchctl and Launch Agent creation, Gatekeeper bypass indicators, hidden files/directories, local data staging, browser and Keychain access, screenshot behavior, and outbound web or non-application-layer communications. Because ATT&CK provides no official detection text for this malware entry, detections should be built from the related techniques rather than assuming a single malware signature is sufficient. Triage should connect endpoint events to user context, installed software, process discovery, file/directory enumeration, and network egress patterns.
Likely telemetry
- macOS endpoint process execution events, including osascript, shell, launchctl, and newly executed Mach-O binaries
- File creation/modification events for Launch Agents, hidden files/directories, local staging locations, and suspicious application bundles
- Application provenance and security-control evidence related to Gatekeeper, quarantine attributes, code signing, and notarization where available
- Keychain access events or endpoint alerts indicating credential-store interaction
- Browser data access or enumeration evidence where endpoint tooling supports it
Detection direction
- Map detections to the related ATT&CK techniques: T1059.002, T1059.004, T1543.001, T1569.001, T1553.001, T1555.001, T1056.002, T1113, T1074.001, T1041, T1071.001, and T1095.
- Tune for chains of behavior rather than isolated events: a trojanized utility launching scripts, creating persistence, enumerating user/system/browser data, staging files, and making outbound connections is more meaningful than any single discovery command.
- Account for false positives from legitimate Mac administration, software management, backup, accessibility, and security tools that may use launch agents, shell commands, AppleScript, or browser inventory.
- Validate Apple Silicon and Intel Mac visibility, because the official description states the malware is a universal Mach-O binary.
- Treat absence of official ATT&CK detection guidance as a coverage gap requiring local baselining, endpoint telemetry review, and testing against benign simulations of the related behaviors.
Mitigation priorities
- Reduce exposure to trojanized PUP-style applications through approved software sources, application control, user education, and Mac device management policy.
- Harden macOS execution and persistence paths by monitoring or controlling Launch Agents, launchctl use, hidden file creation, and Gatekeeper bypass-relevant attributes.
- Protect identity material by prioritizing Keychain access visibility, credential reset playbooks, and least-privilege practices for affected Mac users.
- Ensure endpoint and network controls can retain evidence needed for incident scoping: process lineage, file events, application metadata, user context, and outbound connection history.
- Prepare IR runbooks that include macOS collection, credential exposure assessment, browser-data exposure review, and exfiltration triage.
Analyst notes and limits
The supplied ATT&CK object identifies Cuckoo Stealer as macOS malware with spyware and infostealer characteristics in use since at least 2024, distributed through trojanized versions of PUP-like applications. The most decision-useful context comes from the object’s technique relationships, which show a broad chain across execution, stealth, discovery, credential access, collection, persistence, C2, and exfiltration.
ATT&CK does not provide official detection guidance, aliases, or explicit tactics on the malware object itself. This take does not assert active exploitation, attribution, prevalence, specific indicators, or guaranteed detection. Local telemetry, affected application details, endpoint tooling capability, and environment baselines are required to determine exposure and coverage.
Cuckoo Stealer
Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Cuckoo Stealer strings are XOR-encrypted.CitationKandji Cuckoo April 2024CitationSentinelOne Cuckoo Stealer May 2024 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Cuckoo Stealer has copied its binary and the victim's scraped password into a hidden folder in the `/Users` directory.CitationKandji Cuckoo April 2024CitationSentinelOne Cuckoo Stealer May 2024 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Cuckoo Stealer can check the systems `LANG` environmental variable to prevent infecting devices from Armenia (`hy_AM`), Belarus (`be_BY`), Kazakhstan (`kk_KZ`), Russia (`ru_RU`), and Ukraine (`uk_UA`).CitationKandji Cuckoo April 2024 |
| Enterprise | T1033 | System Owner/User Discovery | Cuckoo Stealer can discover and send the username from a compromised host to C2.CitationKandji Cuckoo April 2024 |
| Enterprise | T1614 | System Location Discovery | Cuckoo Stealer can determine the geographical location of a victim host by checking the language.CitationKandji Cuckoo April 2024 |
| Enterprise | T1569.001 | Launchctl Sub-technique | Cuckoo Stealer can use `launchctl` to load a LaunchAgent for persistence.CitationKandji Cuckoo April 2024 |
| Enterprise | T1518 | Software Discovery | Cuckoo Stealer has the ability to search systems for installed applications.CitationKandji Cuckoo April 2024 |
| Enterprise | T1647 | Plist File Modification | Cuckoo Stealer can create and populate property list (plist) files to enable execution.CitationKandji Cuckoo April 2024CitationSentinelOne Cuckoo Stealer May 2024 |
| Enterprise | T1113 | Screen Capture | Cuckoo Stealer can run `screencapture` to collect screenshots from compromised hosts. CitationKandji Cuckoo April 2024 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Cuckoo Stealer has staged collected application data from Safari, Notes, and Keychain to `/var/folder`.CitationKandji Cuckoo April 2024 |
| Enterprise | T1057 | Process Discovery | Cuckoo Stealer can use `ps aux` to enumerate running processes.CitationKandji Cuckoo April 2024 |
| Enterprise | T1083 | File and Directory Discovery | Cuckoo Stealer can search for files associated with specific applications.CitationKandji Cuckoo April 2024CitationSentinelOne Cuckoo Stealer May 2024 |
| Enterprise | T1027.008 | Stripped Payloads Sub-technique | Cuckoo Stealer is a stripped binary payload.CitationKandji Cuckoo April 2024 CitationSentinelOne Cuckoo Stealer May 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Cuckoo Stealer strings are deobfuscated prior to execution.CitationKandji Cuckoo April 2024CitationSentinelOne Cuckoo Stealer May 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Cuckoo Stealer can send information about the targeted system to C2 including captured passwords, OS build, hostname, and username.CitationKandji Cuckoo April 2024 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Cuckoo Stealer has copied and renamed itself to DumpMediaSpotifyMusicConverter.CitationKandji Cuckoo April 2024CitationSentinelOne Cuckoo Stealer May 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Cuckoo Stealer can use the curl API for C2 communications.CitationKandji Cuckoo April 2024 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Cuckoo Stealer can spawn a bash shell to enable execution on compromised hosts.CitationKandji Cuckoo April 2024 |
| Enterprise | T1095 | Non-Application Layer Protocol | Cuckoo Stealer can use sockets for communications to its C2 server.CitationKandji Cuckoo April 2024 |
| Enterprise | T1553.001 | Gatekeeper Bypass Sub-technique | Cuckoo Stealer can use `xattr -d com.apple.quarantine` to remove the quarantine flag attribute.CitationKandji Cuckoo April 2024CitationSentinelOne Cuckoo Stealer May 2024 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | Cuckoo Stealer can achieve persistence by creating launch agents to repeatedly execute malicious payloads.CitationKandji Cuckoo April 2024CitationSentinelOne Cuckoo Stealer May 2024 |
| Enterprise | T1059.002 | AppleScript Sub-technique | Cuckoo Stealer can use osascript to generate a password-stealing prompt, duplicate files and folders, and set environmental variables.CitationKandji Cuckoo April 2024CitationSentinelOne Cuckoo Stealer May 2024 |
| Enterprise | T1555.001 | Keychain Sub-technique | Cuckoo Stealer can capture files from a targeted user's keychain directory.CitationKandji Cuckoo April 2024 |
| Enterprise | T1082 | System Information Discovery | Cuckoo Stealer can gather information about the OS version and hardware on compromised hosts.CitationKandji Cuckoo April 2024CitationSentinelOne Cuckoo Stealer May 2024 |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | Cuckoo Stealer has captured passwords by prompting victims with a “macOS needs to access System Settings” GUI window.CitationKandji Cuckoo April 2024 |
| Enterprise | T1217 | Browser Information Discovery | Cuckoo Stealer can collect bookmarks, cookies, and history from Safari.CitationKandji Cuckoo April 2024 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5538b763107b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kandji Cuckoo April 2024
Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
Open source URL -
[2]
SentinelOne Cuckoo Stealer May 2024
Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024.
Open source URL -
[3]
mitre-attack S1153Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.