A malicious software called MacDownloader was discovered targeting macOS users, pretending to be a Flash update or antivirus tool, and stealing sensitive system and login information.

Who was behind the attack?

The malware is linked to Iranian state-affiliated hacking groups, likely Charming Kitten, known for cyber-espionage operations against political and strategic targets.

What was the purpose of the attack?

The attackers aimed to extract usernames, passwords, and system information from Mac users—primarily in the defense sector and human rights communities—for surveillance and intelligence gathering.

Victims included employees or interns of major defense contractors like Lockheed Martin and Boeing, as well as at least one known human rights advocate.

How did the attack work?

Victims were tricked into downloading a fake software update. Once installed, the malware collected system data and passwords and sent them to a server controlled by the attackers.

Why are macOS users being targeted?

Because many in sensitive fields mistakenly believe macOS is safer, attackers are exploiting this false sense of security to launch tailored attacks.

Is this a widespread issue or more targeted?

This was a targeted campaign focusing on specific high-value individuals, not a broad-based attack on the general public.

What should I do to stay protected?

Avoid downloading software from unknown sources, be skeptical of unexpected update prompts, and use endpoint protection tools that can monitor for suspicious behavior—even on macOS.

Threats Feed|iKittens|Last Updated 17/06/2025|AuthorCertfa Radar|Publish Date06/02/2017

MacDownloader: Early Iranian Malware Efforts Target Defense and Human Rights Sectors

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Dropper,Malware,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

The MacDownloader malware, initially observed targeting the defense industrial base and a human rights advocate, impersonates legitimate software like Adobe Flash Player and Bitdefender Adware Removal Tool to steal system information and macOS Keychain data. It reflects initial development efforts by possibly amateur Iranian-affiliated actors and is linked to previously documented Iranian operations targeting aerospace and defense employees. The malware, which also gathers user credentials, lacks effective persistence features and uses similar infrastructure as previous campaigns attributed to the Iranian group Charming Kitten.

Reference and Credit: Iran Threats - February 2017

iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)

Detected Targets

Type	Description	Confidence
Case	United Technologies Corporation United Technologies Corporation was an American multinational conglomerate headquartered in Farmington, Connecticut. United Technologies Corporation has been targeted by iKittens with abusive purposes.	Verified
Sector	Defense	Verified
Sector	Human Rights	Verified
Region	United States	High

Extracted IOCs

officialswebsites[.]info
utc.officialswebsites[.]info
52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c
7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977e8635aa04bd064ffb7
46[.]17.97.37
hxxp://46[.]17.97.37/servermac[.]php

download

Tip: 6 related IOCs (1 IP, 2 domain, 1 URL, 0 email, 2 file hash) to this threat have been found.

FAQs

Understanding the MacDownloader Malware Incident

: A malicious software called MacDownloader was discovered targeting macOS users, pretending to be a Flash update or antivirus tool, and stealing sensitive system and login information.
: The malware is linked to Iranian state-affiliated hacking groups, likely Charming Kitten, known for cyber-espionage operations against political and strategic targets.
: The attackers aimed to extract usernames, passwords, and system information from Mac users—primarily in the defense sector and human rights communities—for surveillance and intelligence gathering.
: Victims included employees or interns of major defense contractors like Lockheed Martin and Boeing, as well as at least one known human rights advocate.
: Victims were tricked into downloading a fake software update. Once installed, the malware collected system data and passwords and sent them to a server controlled by the attackers.
: Because many in sensitive fields mistakenly believe macOS is safer, attackers are exploiting this false sense of security to launch tailored attacks.
: This was a targeted campaign focusing on specific high-value individuals, not a broad-based attack on the general public.
: Avoid downloading software from unknown sources, be skeptical of unexpected update prompts, and use endpoint protection tools that can monitor for suspicious behavior—even on macOS.

About Affiliation

iKittens