A growing range of native macOS features are being repurposed by attackers to execute code, move laterally and evade detection, according to new research examining “living-off-the-land” (LOTL) techniques on Apple systems.
The Cisco Talos threat research, published on 21 April, show that built-in tools such as Remote Application Scripting (RAS) and Spotlight metadata can be abused to bypass traditional security controls.
More than 45% of organizations now use macOS in enterprise environments, which means the platform has become a high-value target. Macs are widely used by developers and DevOps professionals, often holding sensitive credentials, cloud access and source code.
Despite this shift, macOS-focused attack techniques remain less documented than those targeting Windows. The research identifies gaps in both visibility and detection, particularly where attackers rely on legitimate system binaries and protocols instead of malware.
Native Features Repurposed For Execution
RAS, originally designed for administrative automation, can be weaponized to execute commands on remote systems, Cisco Talos explained. By leveraging Apple’s inter-process communication (IPC) framework, attackers can issue instructions without triggering conventional shell-based monitoring.
In some cases, adversaries bypass built-in restrictions by using Terminal as a proxy for execution, encoding payloads in Base64 and deploying them in stages. This allows complex scripts to run while avoiding detection tied to standard command-line activity.
Other techniques extend beyond RAS. AppleScript can be executed over SSH to interact with the graphical user interface, while tools like socat enable remote shells without relying on SSH logging or authentication trails.
Read more on macOS security threats: Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings
Security teams face additional challenges due to limited visibility into these behaviors. Actions performed through Apple Events or inter-process communication often fall outside traditional endpoint detection rules.
Covert Data Movement and Persistence
The attackers also use unconventional methods to transfer and store payloads. One approach involves embedding malicious code in Finder comments, which are stored as Spotlight metadata rather than in file contents.
This technique allows payloads to evade static analysis tools that scan files for malicious code. The data can later be extracted, decoded and executed with a single command.
The research also highlights multiple native protocols that can be used for lateral movement and file transfer:
-
Server Message Block (SMB) for mounting remote shares
-
Netcat for direct command execution and file delivery
-
Git repositories for pushing payloads to target systems
-
Trivial File Transfer Protocol (TFTP) and Simple Network Management Protocol (SNMP) for covert data exchange
Because these methods rely on legitimate services, they often bypass network monitoring focused on SSH or known malicious traffic patterns.
Defensive recommendations include shifting detection strategies toward process lineage analysis, monitoring unusual metadata activity and restricting administrative services through mobile device management (MDM) policies.
Disabling unnecessary services and enforcing stricter controls over inter-application communication can also reduce exposure.
