ChillyHell macOS Malware Resurfaces, Using Google.com as a Decoy

A previously dormant macOS threat, ChillyHell, is reviving. Read how this malware can bypass security checks, remain hidden, and install itself permanently to control your Mac.

A dormant macOS threat is showing signs of new life, according to a report from cybersecurity firm Jamf. The company has been closely monitoring a macOS backdoor named ChillyHell, which has been active since 2021.

The malware was first brought to light in 2023 by cybersecurity firm Mandiant and was originally linked to a threat actor tracked as UNC4487, known for targeting a Ukrainian auto insurance website to deliver the MATANBUCHUS malware.

Latest research by Jamf Threat Labs team revealed that a new sample, designed for Intel-based Macs, was uploaded to VirusTotal on May 2nd, 2025, showing the malware is still evolving. As shown in the image, a “zero” detection score on VirusTotal is very unusual for such a threat.

Further probing reveals that ...