The Mosyle Security Research Team has identified two sophisticated, previously undetected macOS threats, Phoenix Worm and ShadeStager, which currently bypass all major antivirus engines to compromise user systems.

Key Points

• Phoenix Worm is a Golang-based stager designed to establish persistent footholds and facilitate the delivery of secondary malicious payloads.
• ShadeStager is a modular post-exploitation tool specifically engineered to steal SSH keys, cloud credentials, and authentication data from developer environments.
• Both malware samples were invisible to all major antivirus engines at the time of their discovery by researchers.
• ShadeStager targets high-value data from platforms including AWS, Azure, GCP, Kubernetes, and various web browsers.
• Mosyle provided specific SHA256 hashes for both threats to assist system administrators in updating their security detection tools.

Why it Matters

These findings highlight a growing trend of modular, cross-platform malware that prioritizes stealth and persistence over traditional, noisy attack methods. As attackers increasingly bypass signature-based antivirus, organizations must adopt behavioral detection and real-time monitoring to effectively secure macOS environments against evolving threats.