AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.^[1]

AppleJeus has sent data to its C2 server viaPOST requests.^[1][2]

AppleJeus has used shell scripts to execute commands after installation and set persistence mechanisms.^[1][2]

AppleJeus can install itself as a service.^[1]

AppleJeus has placed a plist file within theLaunchDaemons folder and launched it manually.^[1][2]

AppleJeus has decoded files received from a C2.^[1]

DuringAppleJeus's installation process, it usespostinstall scripts to extract a hidden plist from the application's/Resources folder and execute theplist file as aLaunch Daemon with elevated permissions.^[2]

AppleJeus has exfiltrated collected host information to a C2 server.^[1]

AppleJeus has added a leading. to plist filenames, unlisting them from the Finder app and default Terminal directory listings.^[1]

AppleJeus has deleted the MSI file after installation.^[1]

AppleJeus has XOR-encrypted collected system information prior to sending to a C2.AppleJeus has also used the open source ADVObfuscation library for its components.^[1]

AppleJeus has been distributed via spearphishing link.^[1]

AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.^[1]

AppleJeus has used a valid digital signature from Sectigo to appear legitimate.^[1]

AppleJeus has been installed via MSI installer.^[1]

AppleJeus has collected the victim host information after infection.^[1]

AppleJeus has loaded a plist file using thelaunchctl command.^[1]

AppleJeus's spearphishing links required user interaction to navigate to the malicious website.^[1]

AppleJeus has required user execution of a malicious MSI installer.^[1]

AppleJeus has waited a specified time before downloading a second stage payload.^[1]

^[1]