Skip to content

S0282 MacSpy

MacSpy is a malware-as-a-service offered on the darkweb 1.

Item Value
ID S0282
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols MacSpy uses HTTP for command and control.1
enterprise T1123 Audio Capture MacSpy can record the sounds from microphones on a computer.1
enterprise T1115 Clipboard Data MacSpy can steal clipboard contents.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent MacSpy persists via a Launch Agent.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories MacSpy stores itself in ~/Library/.DS_Stores/ 2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion MacSpy deletes any temporary files it creates2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging MacSpy captures keystrokes.1
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy MacSpy uses Tor for command and control.1
enterprise T1113 Screen Capture MacSpy can capture screenshots of the desktop over multiple monitors.1