- Chillyhell is a modular module stolen door created in 2021 which exceeded Apple’s notarization and remained unteashed for years
- Mandiant spotted it in 2023, but the information was not publicly shared, so the AV tools did not take
- Jamf exhibited it in 2025, revealing that he is still notarial and not reported by antivirus engines
For at least four years, a piece of modular apple malware has been deployed on target devices, without being reported by antivirus solutions.
To worsen things, for at least two years, (part of) the cybersecurity community was aware of its existence.
Earlier this week, Jamf security researchers published a new report, detailing Chillyll, a modular stolen door which provides its operators with an inverted shell, the possibility of updating and an option to recover and execute additional useful charges.
First detection in 2023
Although the stolen door in itself is not out of the ordinary, the fact that it has not been detected for a long time. Apparently, malware was created in 2021, when it was subjected to Apple. He passed the notarization controls, which means that Apple’s automated systems did not report it as malicious.
He managed to pass the checks because his useful charges were divided on modules, he was signed with an Apple Valid developer ID and was designed as an harmless application. In addition, he did not have standard red behavioral flags such as climbing privileges or the digitization of the network.
Until 2023, he operated unteashed, without detection of antivirus on the main platforms. However, in 2023, Mandiant (Google’s Cybersecurity Arm) identified it in an intelligence briefing on threats, and even attributed it to UNC4487, a threat player who was seen targeting Ukrainian officials via an automobile insurance website.
But the briefing was shared in private and without technical details, leaving the wider safety community in ignorance of its existence. Apple has not revoked notarization and AV tools have still not reported it.
Quick advance until 2025, and now Jamf Threat Labs publicly disclosed malware, gave it the name Chillyhell and detailed its techniques of architecture, persistence and escape. He also pointed out that even at this stage, Apple’s notarization has remained valid, and some samples downloaded from Virustotal are still not reported by the antivirus.
Via The register
