Skip to main content

Mosyle identifies two new macOS threats invisible to antivirus engines

Avatar for Arin Waichulis  | Apr 22 2026 - 9:07 am PT
1 Comment

After exclusively sharing details with 9to5Mac last September on ModStealer, a cross-platform infostealer invisible to every major antivirus engine at the time, Mosyle, a leader in Apple device management and security, is back with two more macOS threats that are flying completely under the radar.

In new details again shared with 9to5Mac, the Mosyle Security Research Team says it has identified two previously undetected samples: Phoenix Worm, a cross-platform stager, and ShadeStager, a modular macOS implant built for credential theft. The two aren’t directly connected in how they work, but together show just how sophisticated Mac malware is getting.

The timing here tracks with what the rest of the industry has been seeing. As I previously reported, infostealers and trojans like Atomic Stealer have been the dominant malware story on Mac for the past year, with attackers shifting away from noisy smash and grab attacks toward persistence. Phoenix Worm and ShadeStager are exactly that.

Phoenix Worm, a stealthy stager

Contrary to its name, Pheonix Worm is exactly the stager here. It’s a Golang-based multi-platform malware, built to act as a stager. Stagers are basically lightweight initial payloads that establish persistence and preps for a second wave of attacks. Rather than dropping the full payload up front, it quietly builds a foothold first. There’s many advantages to doing this.

According to Mosyle, Phoenix Worm’s core functionality includes:

  • Establishing communication with a remote command-and-control (C2) server
  • Generating unique identifiers for infected systems
  • Transmitting system data back to attackers
  • Supporting remote upgrades and additional payload execution

Phoenix Worm doesn’t appear to be a standalone threat either, Mosyle told 9to5Mac. Its design strongly suggests it’s part of a broader toolkit, meant to hand off execution to more advanced payloads further down the attack chain.

At the time of analysis, no antivirus engines detected the macOS or Linux variants, with only limited detection on Windows.

ShadeStager, built for credential theft

ShadeStager operates as a post-exploitation tool, designed to extract high-value data from systems that have already been compromised. While this might sound like the perfect companion attack to Phoenix Worm, Mosyle says the two are not connected.

In fact, ShadeStager seems to have its sights set on developer environments and cloud infrastructure. It specifically guns for:

  • SSH keys and known hosts
  • Cloud credentials from AWS, Azure, and GCP
  • Kubernetes configuration files
  • Git and Docker authentication data
  • Full browser profiles across major browsers

It also runs extensive recon on the host, pulling user and privilege info, OS and hardware details, network configuration, and environment variables tied to cloud and SSH sessions, according to Mosyle. Everything gets structured and exfiltrated over HTTPS, with support for command execution, data exfiltration, and file downloads.

Interestingly, ShadeStager doesn’t include a hardcoded C2 address and portions of the malware’s code was visible to Mosyle researchers without needing to do any additional work to reverse engineer binaries. This strongly suggests that the malware sample was actually still under development at the time of discovery.

TL;DR

Phoenix Worm and ShadeStager aren’t connected, but they’re built on the same model of attack we’re seeing more and more of. One establishes access, the other extracts credentials and cloud tokens, and neither were detected by a single anti-virus engine at the time of discovery.

That’s the direction Mac malware has moved in 2026. Attackers are writing in Go and Rust for cross-platform compatibility, shipping modular payloads that separate initial access from post-exploitation, and configuring C2 infrastructure dynamically so nothing static matches a signature. The easiest example I can point to is Atomic Stealer, what is undoubtedly becoming the most popular and concerning malware family as a whole. It and its varients have been operating this way for sometime, and the approach appears to be showing up across unrelated samples.

Signature-based antivirus is not enough anymore. Behavioral detection and real-time visibility should be baseline for admins and security teams defending macOS environments today.

Indicators of Compromise

For Mac admins looking to add these threats to their security tools, Mosyle has shared the following SHA256 hashes:

  • ShadeStager: 7e8003bee92832b695feb7ae86967e13a859bdac4638fa76586b9202df3d0156
  • Phoenix Worm: 54ef0c8d7e167053b711853057e3680d94a2130e922cf3c717adf7974888cad2

Follow Arin Waichulis: LinkedInThreadsX

Subscribe to the 9to5Mac Security Bite Podcast for biweekly deep dives and interviews with leading Apple security researchers and experts:

Add 9to5Mac as a preferred source on Google Add 9to5Mac as a preferred source on Google

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Mac on YouTube for more Apple news:

Comments

Guides

Security

Security
Mac malware

Mac malware

Author

Avatar for Arin Waichulis Arin Waichulis

Arin Waichulis's favorite gear

M2 MacBook Air

M2 MacBook Air

My laptop! Lightweight. Fast. Seemingly indestructible.

55-inch Stand-Up Desk

55-inch Stand-Up Desk

My current and favorite electric stand-up desk I've tested. The quality is great and the price even more so.