Macs under threat from CloudMensis spyware — what to do now


Lockdown Mode for Apple can’t arrive fast enough.

(Image credit: Shutterstock)

A previously unidentified backdoor in macOS has been found and is presently being used in the field to spy on Mac users.

The new virus was first identified by experts at the cybersecurity company ESET and has been given the name CloudMensis. According to ESET, CloudMensis can exfiltrate documents and keystrokes, list email messages and attachments, list items from removable storage, and record screenshots, proving that its designers intended it to collect information from victims’ Macs.


Although CloudMensis poses a danger to Mac users, its very restricted dissemination raises the possibility that it is intended to be utilized as a part of a deliberate operation. According to what the experts at ESET have so far seen, the virus is used by the hackers to target certain people who are of interest to them.

In a press release(opens in new tab), ESET researcher Marc-Etienne Léveillé offered further details on his examination of CloudMensis, stating:

“We still don’t know who the targets are or how CloudMensis is originally delivered. The writers may not be extremely experienced in Mac programming as seen by the generally high quality of the code and lack of obfuscation. However, a lot of effort went into making CloudMensis an effective eavesdropping device and a threat to prospective targets.


Using cloud storage services to acquire information

The way CloudMensis makes use of cloud storage facilities to expand its capabilities is one feature that sets it unique from other malware families.

According to ESET, once code execution and administrator rights have been obtained on a compromised Mac, the malware executes a first-stage infection that requests a second stage with more features from a cloud storage provider.

The second step is a considerably bigger part with many of tools to gather data from the hacked Mac. Although there are presently 39 commands accessible, the second stage of CloudMensis is designed to exfiltrate documents, screenshots, email attachments, and other data from victims.


CloudMensis employs cloud storage to exfiltrate data as well as to accept instructions from its operators. pCloud, Yandex Disk, and Dropbox are the three distinct providers that are now supported.

It seems that the operation started sending orders to bots from the start of February of this year, according to information from cloud storage providers utilized with the virus.

Lockdown Mode to the rescue but not just yet

When iOS 16, iPadOS 16, and macOS Ventura are released this autumn, Apple’s new Lockdown Mode for iPhones, iPads, and Macs will assist users of the company’s devices from being infected with malware.


By limiting many of the capabilities typically utilized by hackers to acquire code execution and install malware, Lockdown Mode is able to stop these kinds of infestations.

The best thing you can do right now to defend yourself against it is to make sure your Mac and other Apple devices are running the most recent software, since neither zero days nor undisclosed vulnerabilities were discovered to have been used by the people behind CloudMensis in ESET’s study.


Leave a Comment