Yes, it is chaining of 5-6 vulnerabilities before triggering the malware payload which called TriangleDB You can watch the full talk here: youtube.com/watch?v=1f6YyH62…

#tools #reversing "Reverse Engineering macOS XProtect Remediator", Black Hat USA 2025. ]-> Slides - i.blackhat.com/BH-USA-25/Pre… ]-> Tools/Repo - github.com/FFRI/PoC-public/t… // Because XPR is implemented as stripped Swift binaries, analyzing it is particularly challenging. To address these challenges, we developed custom tools for both static and dynamic analysis. The results show that XPR employs detection logic beyond simple YARA-based scanning, including mechanisms such as the use of OCR for detecting Gatekeeper sidestepping techniques. The analysis also revealed insights into Apple-exclusive threat intelligence, including the TriangleDB macOS implant and a publicly unknown Smooth Operator sample. Furthermore, our analysis revealed that XPR’s logic is expressed in a custom DSL built with Swift’s result builders

Post-talk snapshot — XUnprotect (XProtect Remediator) We walked in thinking “just YARA.” Walked out with: • a Swift DSL (Result Builders) spelling out XPR’s rules, • sneaky OCR checks catching Gatekeeper-bypass antics on screen, • Apple-only intel—with TriangleDB fingerprints, • and new tools to track XPR updates like a threat-intel feed. Koh Nakagawa @tsunek0h | Only at #OBTS 🍏 do black boxes leave as blueprints you can actually use.

Koh (@tsunek0h)/FFRI talked at #OBTS about reversing Xprotect Remediator, uncovering Swift-based detection logic, OCR-powered malware spotting 🤯, and Apple’s hidden threat intel (hello, TriangleDB (securelist.com/triangledb-tr… ). Koh has excellent slides - i.blackhat.com/BH-USA-25/Pre…

🔐 DECLASSIFIED // XUnprotect — macOS XProtect Remediator decoded (live at #OBTS 🍏) | Koh Nakagawa @tsunek0h Findings: • Not “just YARA.” XPR’s detections live in a custom DSL built with Swift Result Builders (SwiftUI vibes, but for rules). • Stripped Swift binaries? Cracked with custom static/dynamic tooling. • Wild card: OCR used to spot Gatekeeper-bypass shenanigans right on screen. • Hidden intel: Apple-exclusive TI, incl. clues touching TriangleDB implants. Only at #OBTS 🍏 do we turn a black box into a blueprint you can actually run with.

Hello, we hope everyone is enjoying their weekend so far. We've made some updates to the vx-underground malware sample collection. Additionally, we have papers in queue but they have not been addressed yet. Samples and families added: - Virussign.2024.04.19 - Virussign.2024.04.20 - Virussign.2024.04.21 - Virussign.2024.04.22 - Virussign.2024.04.23 - Virussign.2024.04.24 - Virussign.2024.04.26 - InTheWild.0121 - InTheWild.0120 - SmokeLoader - STRRAT - TriangleDB - QuasarRAT - SnakeKeylogger - NewBotLoader - PikaBot - PlanetStealer - NetSupportRAT - NjRAT - LummaStealer - EvilAntRansomware - DarkGateLoader - BunnyLoader - DoNexRansomware

#100DaysofYara Day #3: Crafting a simple rule for #OperationTriangulation iOS implant dubbed #TriangleDB 📱 One interesting feature with Yara is that to identify a specific file, you can use the initial hexadecimal strings (also known as the Magic Number) located at offset 0 of the file. (NB: you could also use "uint16(0) == 0xfacf")🔍. In this case, I aimed to match on Mach-O file 64-bit. So, I used the Hex CF FA ED FE at offset 0, combined with some specific strings related to the implant 🛠️. #iOS #Malware #YaraRule 👉 blog.securitybreak.io/100day… 👉 github.com/fr0gger/2024/tree…

#TechTip/#MustSee: "They Found The #iPhone #Backdoor" [#Apple #NoClickExploit #TriangleDB #Spyware] youtu.be/QU49Td1ijk8

We've uncovered new information about components used in Operation Triangulation, including a more details look at TriangleDB - the main implant used in the campaign. Here's what we know ⇒ kas.pr/u77h #iOSTriangulation

We've uncovered new information about components used in Operation Triangulation, including a more details look at TriangleDB - the main implant used in the campaign. Here's what we know ⇒ kas.pr/u77h #iOSTriangulation

TriangleDB: así actúa el programa espía que causa estragos en los iPhone tn.com.ar/tecno/novedades/20…

We've uncovered new information about components used in Operation Triangulation, including a more details look at TriangleDB - the main implant used in the campaign. Here's what we know ⇒ kas.pr/u77h #iOSTriangulation

Urgent Security Issue for #iPhone & #iPad users! Apple drops urgent patch against obtuse TriangleDB iPhone malware Go to Settings/General/Software Update and install the current update on your phone if it is available theregister.com/2023/10/26/a…

Apple drops urgent patch against obtuse TriangleDB iPhone malware go.theregister.com/feed/www.…

#ALERT 🚨🚨 @Apple drops urgent patch against obtuse TriangleDB iPhone malware. Apple pushed several security fixes on Wednesday, including one for all iPhone and iPads used before September last year that has already been exploited by threat actors. The vulnerability, tracked as CVE-2023-32434, "may have been actively exploited against versions of iOS released before iOS 15.7," according to Apple's security update. Exploiting this flaw allows the execution of arbitrary code with kernel privileges. This is the second patch that Apple has issued to fix the vulnerability. #cybersecurity #infosec #threatintelligence #Apple #CVE Read more: theregister.com/2023/10/26/a…

Apple drops urgent patch against obtuse TriangleDB iPhone malware go.theregister.com/feed/www.…

Apple drops urgent patch against obtuse TriangleDB iPhone malware dlvr.it/Sy0cG0

📢 Attention iOS users: Experts have unearthed crucial insights about the TriangleDB implant, which targets #Apple iOS devices. It can record audio, pilfer #iCloud Keychain data, and more. thehackernews.com/2023/10/op… #cybersecurity #hacking

iOS Zero-Day Attacks: Experts Uncover Deeper Insights into Operation Triangulation thehackernews.com/2023/10/op…"The core of the attack framework constitutes a backdoor called TriangleDB that's deployed after the attackers obtain root privileges on the target iOS device by exploiting"

📢 Attention iOS users: Experts have unearthed crucial insights about the TriangleDB implant, which targets #Apple iOS devices. It can record audio, pilfer #iCloud Keychain data, and more. Learn more: thehackernews.com/2023/10/op… #cybersecurity #hacking