A new study from Cisco Talos, published on 21 April, reveals that a growing range of native macOS features are being repurposed by attackers to execute code, move laterally and evade detection on Apple systems. The research highlights how built‑in tools such as Remote Application Scripting and Spotlight metadata can be abused to bypass traditional security controls, with IPC allowing commands to be issued without triggering standard shell monitoring.
In some cases, attackers use Terminal as a proxy for execution, encoding payloads in Base64 and deploying them in stages, while other techniques rely on AppleScript over SSH or tools like socat to enable remote shells without visible SSH logs. Covert data movement and persistence are also demonstrated, including embedding malicious code in Finder comments stored as Spotlight metadata to evade static analysis.
The report identifies native protocols such as SMB, Netcat, Git, TFTP and SNMP for lateral movement and data exchange, and recommends defenders shift detection toward process lineage, metadata activity and tighter controls via MDM policies.