PasivRobber Malware Emerges, Targeting macOS to Steal Data From Systems and Apps

A sophisticated new malware suite targeting macOS, dubbed “PasivRobber,” has been discovered by security researchers.

Identified on March 13, 2025, after a suspicious file named “wsus” was uploaded to VirusTotal, PasivRobber is a multi-component threat designed to steal a wide range of data from infected systems and popular applications.

The malware exhibits a deep understanding of macOS internals and employs several deceptive techniques.

- Advertisement -

Its initial installer package is signed with a Developer ID belonging to “weihu chen,” but this package installs a secondary, unsigned package containing the core malware components.

The installation process attempts to hide the malware by using names similar to legitimate macOS processes, such as naming its main launcher “goed” instead of Apple’s “geod,” and using “wsus,” an acronym typically associated with Windows Server Update Services. It also disguises dynamic libraries (dylibs) by giving them “.gz” extensions.

Targeting and Potential Origin

Evidence strongly suggests PasivRobber originates from and targets Chinese users. The malware specifically extracts data from applications popular in China, including WeChat and QQ.

Developer paths found within the code contain the name “Meiya,” and initial open-source intelligence links the developer signature to “Xiamen Huanya Zhongzhi Technology Partnership Enterprise,” a company connected to “Xiamen Meiya Pico Information Co., Ltd.”

Meiya Pico is known for developing forensic and security products and has previously been linked by the U.S. Treasury to the Chinese Military-Industrial Complex and the development of surveillance software.

While a definitive link is not confirmed, the capabilities and sophistication align with Meiya Pico’s profile.

Capabilities and Structure

According to the Report, PasivRobber uses a complex, multi-layered structure, leading researchers to name it after the PASIV device and multi-level dream espionage in the film Inception, combined with its use of “Robber.dylib” components.

The suite operates through several key binaries:

• goed: Launched via a persistent LaunchDaemon, this binary starts the main operations by executing wsus.
• wsus: Handles remote actions, including updates via FTP, uninstallation via RPC messages, and capturing screenshots using the Core Graphics framework. It also attempts to extract keys and data from Instant Messaging application caches and plists.
• center: Acts as an on-device agent, collecting system information (hardware model, OS details, memory stats) and logging activity. Crucially, it uses another bundled binary, “apse” (similar to the open-source insert_dylib tool), to inject malicious code into running applications like WeChat, QQ, and WeCom (WeChat Enterprise). It can kill these apps, inject code (potentially using Frida framework scripts embedded in libIMKeyTool.dylib), and then re-sign them.
• Plugins: The suite includes 28 plugins disguised as .gz files located in /Library/protect/wsus/bin_arm/plugins/. These target specific data sources, including system files, browser data (Safari, Chrome, Firefox), email clients (Mail, Outlook, Foxmail), chat applications, and cloud storage configurations. Collected data appears to be stored in a local SQLite database.

The malware checks System Integrity Protection (SIP) status before attempting certain actions like key extraction from IM apps using libIMKeyTool.dylib, suggesting these functions only work if SIP is disabled.

It also includes functionality for remote uninstallation and uses TEA encryption for its logs and configuration files.

Researchers also found evidence of related Windows components within the macOS package, indicating a potential cross-platform aspect to the threat.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!