S1016: MacMa

MacMa matters because it represents a macOS backdoor with broad post-compromise capability: file control and exfiltration, discovery, keylogging, screen/audio capture, persistence, and C2 activity. For leaders, the practical issue is whether macOS endpoints are monitored and governed with the same rigor as Windows systems, especially where executives, developers, administrators, journalists, NGO/government users, or telecom-related staff handle sensitive data.

Executive priority

Prioritize MacMa as a validation case for macOS security readiness rather than as a standalone malware name. ATT&CK links it to Daggerfly and to behaviors that affect confidentiality, credential exposure, persistence, and data loss. Executives should ask whether macOS telemetry supports incident reconstruction, whether Keychain and remote service misuse are monitored, whether C2/exfiltration paths are visible, and whether endpoint controls provide audit-ready evidence for regulated or high-sensitivity users.

Technical view

MacMa is documented for macOS and is related to techniques across discovery, collection, credential access, execution, persistence, defense evasion/impairment, command and control, lateral movement, and exfiltration. SOC and IR teams should validate coverage for Launch Agents, Gatekeeper and code-signing anomalies, Keychain access, shell execution, file and directory enumeration, process/user/system/network discovery, local data staging, file deletion, timestomping, tool transfer, non-application-layer C2, and exfiltration over C2. No official ATT&CK detection guidance is provided for this software object, so detections should be built from the related technique behaviors and local macOS baselines.

Likely telemetry

macOS endpoint process execution and command-line telemetry
Launch Agent plist creation or modification events
File system telemetry for staging, deletion, timestamp changes, and unusual access to sensitive user files
Keychain access events where available
Network telemetry for outbound C2-like connections and non-application-layer protocol use

Detection direction

Map detections to the related ATT&CK techniques instead of relying on a MacMa-specific signature, because the object provides no official detection text.
Baseline normal macOS Launch Agent creation, shell usage, Keychain access, and developer/admin tooling to reduce false positives.
Correlate discovery commands, file staging, screen/audio capture indicators, and outbound network activity into post-compromise behavior chains.
Review visibility gaps around macOS privacy permissions, Gatekeeper/quarantine metadata, and code-signing trust decisions.
Tune network monitoring for unusual outbound protocols or C2/exfiltration patterns, while recognizing that protocol-level evidence alone may be noisy.

Mitigation priorities

Ensure macOS endpoints are included in managed detection, EDR, logging, and incident response playbooks.
Harden and monitor Launch Agents, remote services, Keychain access, and application execution trust controls such as Gatekeeper and code signing.
Apply least privilege and strong identity controls for users with access to sensitive files or remote services.
Restrict unnecessary outbound communications and monitor for suspicious tool transfer and exfiltration paths.
Retain sufficient endpoint and network logs to support investigation of file access, staging, deletion, timestomping, and C2 activity.

Analyst notes and limits

ATT&CK describes MacMa as a macOS backdoor observed since November 2021, with shared C2 and unique libraries with MgBot and Nightdoor indicating a relationship with Daggerfly. The most useful defensive value is as a macOS coverage assessment across credential access, collection, persistence, evasion, C2, and exfiltration behaviors.

The supplied ATT&CK object does not include official detection guidance, aliases, labels, or object-level tactics. Conclusions about exposure, active exploitation, successful detection, or attribution require local telemetry and incident evidence beyond the supplied fields.

Official MITRE ATT&CK definition

MacMa

MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[1] MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.[2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 27 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1033	System Owner/User Discovery	MacMa can collect the username from the compromised machine.[1]
Enterprise	T1082	System Information Discovery	MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, and macOS version.[1]
Enterprise	T1095	Non-Application Layer Protocol	MacMa has used a custom JSON-based protocol for its C&C communications.[1]
Enterprise	T1553.002	Code Signing Sub-technique	MacMa has been delivered using ad hoc Apple Developer code signing certificates.CitationSentinelOne Macma 2021
Enterprise	T1113	Screen Capture	MacMa has used Apple’s Core Graphic APIs, such as `CGWindowListCreateImageFromArray`, to capture the user's screen and open windows.[1][3]
Enterprise	T1016	System Network Configuration Discovery	MacMa can collect IP addresses from a compromised host.[1]
Enterprise	T1074.001	Local Data Staging Sub-technique	MacMa has stored collected files locally before exfiltration.[3]
Enterprise	T1543.001	Launch Agent Sub-technique	MacMa installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, MacMa is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the MacMa only runs when there is a logged in GUI user.[1][3]
Enterprise	T1005	Data from Local System	MacMa can collect then exfiltrate files from the compromised system.[1]
Enterprise	T1021	Remote Services	MacMa can manage remote screen sessions.[1]
Enterprise	T1106	Native API	MacMa has used macOS API functions to perform tasks.[1][3]
Enterprise	T1123	Audio Capture	MacMa has the ability to record audio.[3]
Enterprise	T1555.001	Keychain Sub-technique	MacMa can dump credentials from the macOS keychain.[1]
Enterprise	T1041	Exfiltration Over C2 Channel	MacMa exfiltrates data from a supplied path over its C2 channel.[1]
Enterprise	T1057	Process Discovery	MacMa can enumerate running processes.[1]
Enterprise	T1070.006	Timestomp Sub-technique	MacMa has the capability to create and modify file timestamps.[1]
Enterprise	T1571	Non-Standard Port	MacMa has used TCP port 5633 for C2 Communication.[1]
Enterprise	T1140	Deobfuscate/Decode Files or Information	MacMa decrypts a downloaded file using AES-128-EBC with a custom delta.[1]
Enterprise	T1056.001	Keylogging Sub-technique	MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.[3]CitationSentinelOne MacMa Nov 2021
Enterprise	T1685.006	Clear Linux or Mac System Logs Sub-technique	MacMa can clear possible malware traces such as application logs.[1]
Enterprise	T1059.004	Unix Shell Sub-technique	MacMa can execute supplied shell commands and uses bash scripts to perform additional actions.[1][3]
Enterprise	T1680	Local Storage Discovery	MacMa can collect information about a compromised computer's disk sizes.[1]
Enterprise	T1553.001	Gatekeeper Bypass Sub-technique	MacMa has removed the `com.apple.quarantineattribute` from the dropped file, `$TMPDIR/airportpaird`.[1]
Enterprise	T1105	Ingress Tool Transfer	MacMa has downloaded additional files, including an exploit for used privilege escalation.[1][3]
Enterprise	T1573	Encrypted Channel	MacMa has used TLS encryption to initialize a custom protocol for C2 communications.[1]
Enterprise	T1083	File and Directory Discovery	MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.[1]
Enterprise	T1070.004	File Deletion Sub-technique	MacMa can delete itself from the compromised computer.[1]

Associated objects

Groups, software, and campaigns

G1034: Daggerfly

Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.1
Created: May 6, 2022, 01:29 UTC (UTC+00:00)
Modified: Oct 21, 2025, 03:17 UTC (UTC+00:00)
Raw hash: 93b0a80527ee110d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	2.1	Oct 21, 2025, 03:17 UTC (UTC+00:00)	Current bundle	`93b0a80527ee…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
ESET DazzleSpy Jan 2022

M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
Open source URL
[2]
Symantec Daggerfly 2024

Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
Open source URL
[3]
Objective-See MacMa Nov 2021

Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
Open source URL
[4]
DazzleSpy

(Citation: ESET DazzleSpy Jan 2022)
[5]
OSX.CDDS

(Citation: Objective-See MacMa Nov 2021)
[6]
mitre-attack S1016
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams