showing comparison of source code (left) and output of AppleScript decompiler.

You know how ppl say you can't decompile run-only #AppleScript ... 😜 #macOS #security

One of the coolest new things in Binary Ninja 5.1? Pseudo Objective‑C. Huge shoutout to Mark, who actually wrote this before joining the team (talk about an overkill job application). If you’re digging into iOS, Swift, or kernelcaches, this one’s a game‑changer.

Zooming through BlueNoroff Indicators with Validin | Validin Pivoting through recently-reported indicators to find BlueNoroff-associated domains

Hot on the heels of the researched published by @huntress.com, hunting for Zoom-themed lures from DPRK's #BlueNoroff

💥Learn hunting techniques
💥Leverage new Validin features and data
💥Full, unredacted indicator list (domains, IPs, hashes)

www.validin.com/blog/zooming...

Inside the BlueNoroff Web3 macOS Intrusion Analysis | Huntress Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.

excited bc today @huntress.com is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!! 🤠

we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)!

www.huntress.com/blog/inside-...

Been busy this week digging in to a BlueNoroff attack.

Sadly no new ES events for macOS 26. There are a few nice event property updates and additions to the process structure though :)

Say Hello to Mac Malware | Huntress In this month’s Tradecraft Tuesday, we talked about how threat actors are finetuning their macOS malware in order to maintain persistent access and avoid detection by Apple’s security features.

Some good takeaways from @huntress.com’s recent Tradecraft Tuesday ft. Patrick Wardle:
-The impact of Apple bringing TCC events to Endpoint Security
-#Mac malware persistence techniques vs BTM
-Security alert inundation for #macOS users
Catch up here⤵️
www.huntress.com/blog/say-hel...

You asked, we delivered: Binary Ninja 5.0 brings major iOS reversing upgrades! DYLD Shared Cache is now a first-class feature, with up to 18x faster performance and way smarter analysis across the board. binary.ninja/2025/04/23/5...

finally got around to rewriting the copy as yara binja plugin! 🥰

has a few quality of life improvements (new formats) and address wildcarding is fixed for ARM! (sorry bout that mac homies) ❤️

it's also now available in the plugin repository! 🔥

github.com/ald3ns/copy-...

✅Are you well versed in Linux?
✅Do you understand Linux internals and eBPF?
✅ Do you like building out POCs?
✅Do you understand cyber threats and forensic artifacts?

💥Become a Principal Linux Researcher at @huntress.com

Apply here:

👉 job-boards.greenhouse.io/huntress/job...

TCCing is Believing Apple finally adds TCC events to Endpoint Security!

Finally! 🥳 objective-see.org/blog/blog_0x...

ReaderUpdate Reforged | Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants A widespread campaign with binaries written in different source languages, ReaderUpdate presents unique challenges for detection and analysis.

s1.ai/readup
🐚 Adware loaders are always the most complex! Props to @syrion89.bsky.social for helping me pull apart all these different bins and figuring out what they had in common and how to attribute and detect them. 🦾 #adware #malware #macOS #security
@sentinelone.com @sentinellabs.bsky.social

Notes

macOS Malware Knowledge Base: I've been putting together a KB of sorts of macOS malware research. So next time you are writing about some malware family, you can just visit here and see all technical articles written about any particular family. Still a WIP.
notes.crashsecurity.io/notes/b/06C7...

Trying to attribute DPRK cryptoheist activity?

Here’s a quick pocket attribution guide

Remember to practice your DPRK ABC(TT)s

Keynote: AI without the BS, for humans - Scott Hanselman - NDC London 2025 YouTube video by NDC Conferences

Brilliant talk from @scott.hanselman.com on the realities on LLMs. The temperature demo is such a good way to explain the "magic" behind text generation. www.youtube.com/watch?v=kYUi...

Lazarus Group Bybit Heist: C2 forensics | Validin An in-depth hunt for Lazarus APT group infrastructure related to the Bybit hack using Validin's host response and DNS databases.

Found these likely #Lazarus / #TraderTraitor domains w/ #Validin
getcoinprice[.]info
stocksindex[.]org
wfinance[.]org
stockinfo[.]io

Read my how-to on leveraging Validin's exceptional visibility, history, and pivoting features for C2 infrastructure forensics:
www.validin.com/blog/bybit_h...

For all my math peeps out there: 2025 is pretty amazing mathematical arrangement.

1. 2025 is a perfect square (45×45=2025)

2. 2025 is the sum of digits of cubes from 1 to 9 (1³ + 2³ + 3³ + ... + 9³ = 2025)

3. 2025 is the first square year after 1936

(Cont…)

Entering EOY PTO in the throes of a sleep regression is like taking a gulp of water after a run and realizing it’s tonic.

#OBTS v7.0: "Stealer Crossing: New Horizons" - Alden Schmidt & Stuart Ashenbrenner YouTube video by Objective-See Foundation

Our talk from @objective-see.bsky.social is now available online. Check out @re.wtf and I yap about macOS infostealers.
www.youtube.com/watch?v=Hv6A...

📣I’m happy to announce that I’m planning to write a brand new “macOS Vulnerability Research” training. 🥳

Considering the amount of work the writing requires it will be available late 2025 or early 2026. It will be Live class only, and likely only once or twice a year.

I'm having #OBTS FOMO, so I decided to go ahead and make my own Apple security starter pack! I'm definitely missing folks on here, so feel free to DM me about anyone else who should be added! 🍎

go.bsky.app/gE3xQq

#OBTS has wrapped. Next year has so much on deck 👀
- TAOMM v2 book @patrickwardle
- MacOS Threat Hunting book @jbradley89
- MacOS Vuln Training @theevilbit.bsky.social
- OFTW v3 @objective_see
- WeTalks v1 @x71n3
- OBTS v8 in Ibiza
Awesome stuff coming from the macOS security space 🙌

Shout-out to the incredible Huntress crew for the special T-shirt 🏝️ and a killer #OBTS presentation by @stuartjash.bsky.social and @re.wtf!

Catch @greg-l.bsky.social and I talking about Mach-O binary similarity methods, YARA-X, and all the cool APT malware we pulled apart at #OBTS v7 today at 11:50am HST 🌺

Yesterday I got to present with the 🐐 @re.wtf. Such a blast talking thru infostealers and the telenovela that they’ve become. #OBTS really is the best, chillest conference out there. Excited for a second day of talks 🤓🍎

Humble Tech Book Bundle: Hacking 2024 by No Starch Level up your hacking and skills with this tech bundle from No Starch. Learn to protect yourself and others! Pay what you want & support charity!

Good lineup of books! www.humblebundle.com/books/hackin...

@re.wtf 🐐 @stuartjash.bsky.social 🐐

Extremely excited to be giving a talk titled "Mac, Wheres My Bootstrap" tomorrow at #OBTS with @theevilbit.bsky.social! Join us live on YouTube or in-person at 2:40pm HST / 7:40pm EST. We'll be dropping a tool you can walk away with :)

Careers at SentinelOne Take a look at the open positions at SentinelOne. We're dedicated to defending enterprises across endpoints, containers, cloud workloads, and IoT devices in a single cybersecurity platform.

@sentinelone.com is hiring - #macOS detection engineer.

www.sentinelone.com/jobs/?gh_jid...