A once-dormant macOS backdoor, known as ChillyHell, is showing signs of renewed activity. First linked to threat actor UNC4487 and discovered in 2023 by Mandiant, the malware was recently detected again by Jamf Threat Labs. A new Intel-based sample appeared on VirusTotal in May 2025 with a rare “zero” detection score, raising alarms about its ability to bypass traditional defenses.

What makes ChillyHell particularly concerning is its ability to evade detection. The malware employs timestomping to disguise file creation dates, alters communication methods with its control servers, and even launches a decoy Google.com page to distract users. Its modular design enables it to perform multiple functions, including remote access, dropping additional payloads, and password cracking. Even more troubling, the malware managed to pass Apple’s notarization process, appearing as a legitimate signed application.

ChillyHell is built for persistence, using multiple methods to ensure it remains on a device: as a LaunchAgent at login, as a LaunchDaemon at startup, or through shell profile injection. While Jamf has worked with Apple to revoke the developer certificates tied to the malware, the case highlights a growing threat landscape where signed and notarized code can still be malicious.