CyberWire Daily – Research Saturday

Episode: When macOS gets frostbite.
Published: December 6, 2025
Host: Dave Bittner (N2K Networks)
Guest: Jaron Bradley (Director, JAMF Threat Labs)

Episode Overview

This week’s Research Saturday episode dissects a rare and sophisticated macOS backdoor malware dubbed Chilly Hell. Host Dave Bittner is joined by JAMF Threat Labs director Jaron Bradley, whose team uncovered and analyzed the malware. The conversation dives into how Chilly Hell operates, its unique code-signing and Apple notarization, stealth and anti-forensics measures, modular architecture, and the wider implications for macOS security. The episode closes with vital advice for security teams and users as threats shift towards Apple devices.

Key Discussion Points and Insights

Discovery and Context ([01:59]–[04:18])

• Chilly Hell was first noticed by JAMF during live threat hunting through its unusual process collection and shell-out activity.

  “We sort of said, hey, like there's a lot going on with this executable than just collecting processes, right? It's doing some really interesting stuff.” (Jaron Bradley, [01:59])

• The sample was linked to a prior private Mandian report, and JAMF obtained permission to share further details publicly ([02:37]).

What is Chilly Hell and its Purpose? ([03:11]–[04:18])

• Chilly Hell is a multi-platform, C-based backdoor designed for covert remote access:

  • Notable for “obvious” backdoor code and taunting internal strings:

    “There's strings inside of the executable that just say ‘welcome to chilly hell’ in caps and exclamations, you know... it's just kind of interesting right off the bat.” (C, [03:16])

  • Focus of JAMF research was the macOS variant.

• The malware connects stealthily to attackers and has been developed with a clear and deliberate approach to hiding its presence.

Infection Vector and Spread ([04:26]–[05:24])

• Chilly Hell appears targeted rather than widespread.

  • Discovered in VirusTotal.
  • Exact victims remain unknown but believed to be selective, possibly for cybercrime or focused espionage.

• Notably, the malware dates back to at least 2021, raising questions about how it evaded detection for so long.

Apple Developer Signing and Notarization Bypass ([05:24]–[09:43])

• Chilly Hell was both developer-signed and Apple-notarized—a rare feat for Mac malware:

  • “...even more rare, this one was submitted to Apple and it passed that notarization check.” (Jaron Bradley, [07:47])
  • Notarization is Apple’s process for scanning and approving software before distribution.

• The malware’s successful notarization and signing allowed it to run on Macs with no warnings or blockages:

  • “It’s just a bit surprising to still find this kind of completely unmarked in VirusTotal, completely signed and notarized...” ([08:37])

• Significance:

  • The process is meant to protect users, and Apple can rapidly revoke notarization or developer certificates, instantly neutering malware, but Chilly Hell shows determined actors can slip through.

  “When something does slip through like this, even analysts might be more likely to kind of dismiss it, saying, ah, well, that's signed and notarized, right? That doesn't look like malware.” (C, [09:43])

Malware Stealth and Anti-Forensics ([11:34]–[16:31])

• Host Profiling & File Name Masquerading:

  • Blends into system with benign-looking file names (e.g., com.apple.*), common on macOS ([11:43]).

• Time Stomping – Anti-Forensic Tactic:

  • Alters file timestamps to match legitimate services, making analysis more difficult:

    “You're adjusting the metadata timestamps of files to try and make it... jump out less for forensic analysis and incident response.” (C, [13:56])

• Sophisticated Process Execution:

  • Performs anti-detection tricks, such as minimizing telltale shell commands and introducing randomization in behavior to evade beaconing algorithms ([15:31]).

Command and Control (C2) & Modularity ([15:23]–[19:34])

• C2 Mechanics:

  • Operates via a daemon loop—checks for tasks, sleeps for random intervals (60–120 seconds) to avoid detection through regular beaconing ([15:31]).

• Modular Architecture:

  • Chilly Hell is expandable and includes modules such as:
    • Remote shell access via a pseudo-terminal (sign of a developer deeply familiar with Unix/macOS internals),
    • Password cracker (though resource-intensive and “noisy”),
    • Potential for more modules in future iterations.

  “The modular design and basically kind of making the malware expandable should the developer want to, is certainly something that we take interest in.” (C, [16:46])

• Code is written in C (not Go or Nim), making reverse engineering easier than with some newer malware.

Comparison to Typical macOS Malware ([18:21]–[19:34])

• Chilly Hell stood out in both mundane and advanced ways:
  • Obvious to analysts due to lack of obfuscation, but its design choices—especially for persistence and anti-forensics—show solid attacker know-how on the Apple platform.
  • Presence of a password-cracking module marks it as more aggressive but less stealthy ([19:34]).

Protection and Recommendations ([20:03]–[22:06])

• For Users:

  • Be vigilant about what you install—even for software on trusted sites.
  • Take an extra moment to verify the purpose and legitimacy of downloads.

    “If you took the second to ask like, all right, I'm on this website. I trust the website. It wants me to install this. What is it? You have no idea... just taking the extra second to knowing whether or not you're installing something, figuring that out...” (C, [20:09])

• For Security Teams:

  • Establish granular telemetry and visibility into installed apps and user behaviors to quickly spot anomalies.

  • Don’t assume that code-signing and notarization are perfect protections.

    “From the perspective of what can we as security folks do?...It comes down more towards the telemetry side, knowing what's being installed, knowing what your employees are installing...making sure you have visibility...” (C, [21:43])

The Broader Shift: macOS Security Mindset ([22:11]–[23:09])

• The myth of Apple/macOS invulnerability is fading:

  “Perhaps when it comes to malware, our sense of smug superiority needs to be a thing of the past.” (D, [22:11]) “We've just been seeing the market shift a little more...from the single, maybe the executive team at a company using an Apple device ...to all of a sudden, the entire engineering team is using Apple devices... your engineering team holds access to so many important computers and so many different important processes...” (C, [22:42])

• As Macs become more prevalent in corporate environments, attackers are clearly taking notice and shifting their resources accordingly.

Notable Quotes & Memorable Moments

• On Malware’s Brazen Branding:

  “There’s strings inside of the executable that just say ‘welcome to chilly hell’ in caps and exclamations...” (Jaron Bradley, [03:16])

• On Signed and Notarized Malware:

  “This one was submitted to Apple and it passed that notarization check. So the second portion that I kind of referred to was notarization where the before distribution, again for no hiccups to go off, you have to upload your app to the Apple notarization service where they perform some type of scan.” (C, [07:47])

• On macOS Security Posture:

  “The entire engineering team is using Apple devices... so this thing where we’re like, well, they’re on Macs, so we’re probably fine... it’s getting—we have to ask ourselves that a little more and more as Macs become more prevalent in our environments.” (C, [22:54])

Key Segment Timestamps

• Discovery & Initial Analysis: [01:59]
• What Is Chilly Hell?: [03:11]
• Signing & Notarization Discussion: [05:24] through [09:43]
• Malware Behavior & Techniques: [11:34]–[16:31]
• Modular Design & Engineering Perspective: [16:34]–[19:34]
• Prevalence & Defensive Recommendations: [20:03]–[22:06]
• Changing Attacker Focus on macOS: [22:11]–[23:39]

Takeaways

• Chilly Hell exemplifies a new sophistication in macOS malware, demonstrating how even Apple’s security processes can be bypassed by determined actors.
• Analysts and defenders should be wary—not all signed and notarized applications are benign.
• With Macs gaining enterprise ground, security vigilance and mature telemetry are now as critical on macOS as on any other platform.

Research cited: Chilly: A Deep Dive into a Modular macOS Backdoor (JAMF Threat Labs)