In this blog, Jamf Threat Labs showcases how malicious actors deceive users. By mimicking authentic Apple pop-up messages in the native iOS style, a false sense of security is created, prompting users to instinctively input their credentials.

Jamf Threat Labs dissects ongoing infostealer attacks targeting macOS users. Each with different means of compromising the victim’s Macs but with similar aims: to steal sensitive user data.

In this blog, Jamf Threat Labs researchers analyze malware they discovered in pirated macOS applications. These apps, appearing similar to ZuRu malware, download and execute multiple payloads to compromise machines in the background.

In this blog, Jamf Threat Labs explains how bad actors could create a false sense of security with Lockdown Mode by post-exploit tampering.

Jamf Threat Labs discovered a new later-stage malware variant from BlueNoroff that shares characteristics with their RustBucket campaign. Read this blog to learn more about this malware and view the indicators of compromise.

Comprehensive endpoint protection provides modern threat landscape protection to your entire fleet of Apple computers and mobile devices, including Windows and Android endpoints. By protecting against new and evolving threats through effective and efficient defense-in-depth strategies, Jamf endpoint security solutions are not only best-of-breed, but their powerful and flexible workflows help organizations like yours to succeed with Apple and mobile devices at work, without compromising data security, user privacy or end-user productivity.

The Jamf Threat Labs team recently drew attention in the tech media for uncovering a sly piece of malware that was proliferating unnoticed in the wild. As Jamf Threat Labs pursued its trail, they discovered intriguing insights and went down some fascinating rabbit holes. This fascinating JNUC 2023 presentation walked attendees through a recent Mac malware campaign investigation from start to finish.

Jamf Threat Labs developed a post-exploit persistence technique on iOS 16 that falsely shows a functional Airplane Mode. In reality, after successful device exploit the attacker plants an artifical Airplane Mode that edits the UI to display Airplane Mode icons and cuts internet connection to all apps except the attacker application. This enables the attacker to maintain access to the device even when the user believes it is offline. This technique has not yet been observed in the wild and is only possible on an already exploited or jailbroken device.

Jamf After Dark co-hosts Kat Garbis and Sean Rabbitt welcomed special guest Aaron Webb, Senior Product Marketing Manager in security at Jamf for this special segment focusing on WWDC. They uncovered the benefits of same-day support, highlighted features, outlined how Jamf will support these features and discussed which markets stand to benefit most from these developments.

Threat actors targeted a cryptocurrency exchange in Japan, installing back doors and deploying spyware. Read more about the method of attack and Jamf's defense of the threat.

Learn about the discovery of a novel threat vector on iPhone that allows attackers to circumvent security mitigations by exploiting under-protected co-processors, leveraging access to further compromise the iOS kernel.

Learn about the macOS malware variant discovered by Jamf Threat Labs named 'RustBucket'. What it does, how it works to compromise macOS devices, where it comes from and what administrators can do to protect their Apple fleet.

In this blog, Jamf Threat Labs analyzes CVE-2023-28206, iOS 16.4.1 patches and CitizenLab’s findings on QuaDream’s exploits.

Jamf Threat Labs examines two sophisticated spyware attacks and provides recommendations for organizations to defend users from increasingly complex threats.

Newly discovered supply-chain attack affecting 3CX softphone app used by millions of users globally. In this blog, the Jamf Threat Labs discusses how the app was compromised, what it does and how to go about detecting it on your network.

MacStealer has been discovered and linked to a threat actor distributing it in the wild. The malicious code extracts a variety of files, browser cookies, and login information from a victim's system. Also, it collects end-user privacy and sensitive data, like credit card information from popular web browsers. Learn more about this new macOS malware variant and how Jamf Protect safeguards your devices, users and data from this emerging threat.

Over the past few months Jamf Threat Labs has been following a family of malware that resurfaced and has been operating undetected, despite an earlier iteration being a known quantity to the security community. In this article, we’ll examine this malware and the glimpse it offers into the ongoing arms race between malware authors and security researchers as well as highlight the need for enhanced security on Apple devices to ensure their safe and effective use in production environments.

Jamf Threat Labs investigated a WebKit vulnerability that was exploited in the wild. Attackers can exploit CVE-2022-42856 to control code execution within WebKit, giving them the ability to read/write files. This blog explores what the vulnerability looked like in the code and the patches Apple applied.

Your investigation into a security incident is only as good as the forensic data you collect. If that’s off, the entire incident response process will be a waste of time since it may not paint a complete picture of what happened and where. Enter Aftermath, the lightweight tool that knows where to look, helping you gather as much relevant data from the endpoint as quickly as possible to neutralize threats.

Jamf Threat Labs recently discovered a new macOS vulnerability in Archive Utility that could lead to the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specially crafted archive. We reported our findings to Apple on May 31, 2022, and in macOS Monterey 12.5. Apple patched the vulnerability on July 20, 2022, assigning it CVE-2022-32910.

During a digital forensices investigation, we found a cheap burner device that purported to be an Android 10 was actually and old Android 6. In this blog, we present how attackers can ‘fake’ the shutdown screen on iOS to achieve persistence.

CloudMensis is a new macOS spyware discovered by ESET. Researchers noted that this malware’s primary goal is to exfiltrate data, such as documents, keystrokes, screen captures, emails and other potentially sensitive data.

The Jamf Threat Labs team recently updated the threat prevention rules in Jamf Protect to prevent the browser hijacking campaign that inject ads into Chrome and Safari browsers on macOS. Red Canary also published similar findings on the adware.

Attackers have gotten very good at knowing how to reach you. Sometimes they know your phone number, your email, your place of work, and your colleagues’ names and that would be enough to reach you with a compelling phishing campaign.

But now, thanks to the wafts of personal data changing hands online, attackers also know your interests. Just like brands using your behavior, interests, likes, dislikes and purchase history to target ads to you, attackers are using that information to craft attacks that might be more alluring. This means users are more likely to stumble upon online risks, especially when it comes to attacks distributed on social media where we are very accustomed to having a personalized experience.

SentinelOne researchers recently investigated a supply chain attack leveraging a malicious crate named ‘rustdecimal’ in the crates.io Rust community crate repository.

Sonatype researchers recently identified a supply chain attack leveraging a malicious Python package ‘PyMafka’ in the PyPI registry.

The Jamf Threat Labs team has recently identified changes to the UpdateAgent malware dropper. These changes primarily focus on new executables written in Swift that reach out to a registration server to pull down a new set of instructions in the form of a bash script. Perhaps one of the most identifiable features of the malware is that it relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server. The continued development of this malware shows that its authors continue to remain active, trying to reach as many users as possible.

Jamf protects against the most recent findings on Lazerous Group malware targeting macOS. CISA recently posted findings on a handful of malicious applications they refer to as TraderTraitor and many vendors detect as NukeSped malware.

Trend Micro researchers recently documented a new piece of malware by an APT threat actor named Earth Berberokawhich targets gambling websites.

Meet the team of experienced threat researchers, cybersecurity experts and data scientists focus on delivering the best, most secure experience to Jamf customers. And how the work of the Jamf Threat Labs helps organizations and users alike succeed with Apple, safely and securely.

Jamf Threat Labs researchers investigated an Android app (that has since been removed from Google Play on March 22) that was capable of stealing Facebook login credentials (username and password) from users. The app is called Craftsart Cartoon Tools and it was also reported by researchers at Pradeo.

A new vulnerability has been discovered within the Java Spring Framework which may allow for remote execution on a server. Jamf Threat Labs provides a primer on the Java-based vulnerability which has been assigned CVE-2022-22965 and given the nickname “Spring4Shell”.

Volexity researchers recently documented a new piece of malware, by a threat actor named Storm Cloud, that threatens to not only spy on Mac but use command & control (C2) protocols to manipulate your endpoints while operating from commercial, cloud-based services.

The Jamf Threat Labs recently discovered a new macOS vulnerability in the Safari browser that could lead to the execution of an unsigned and un-notarized application, without displaying security prompts to the user, by using a specially crafted zip file. We reported our findings to Apple and in the latest macOS release (12.3), Apple patched the vulnerability (CVE-2022-22616).

As the war between Russia and Ukraine continues, cybersecurity researchers identify the malicious threats that are occurring as cyber warfare unfolds. Virtually unseen by most, but affecting many, as malware variants, phishing campaigns, advanced persistent threats (APTs) and command & control (C2) attacks are unleashed, threatening to compromise the security of users on both sides.

Jamf Threat Labs updates Jamf Threat Defense, preventing NimbaMamba from threatening your Windows devices.

Jamf Threat Labs updates Jamf Protect to completely prevent UpdateAgent/WizardUpdate from threatening the security of your macOS fleet.

Jamf Threat Labs updates Jamf Protect to completely prevent DazzleSpy from threatening the security of your macOS fleet.

Jamf Threat Labs updates Jamf Protect to completely prevent SysJoker from threatening the security of your macOS fleet.

This blog explores "Noreboot" malware and how it persists on iPhones that appear to be off.

In this blog, we’ll demonstrate how mobile threat actors bypass the recently added camera & microphone green/orange indicators.

This post explores two common cases where crashes occur during the toggling of the voice control switch and provides a proof-of-concept demonstration of a race condition that can cause memory corruption and code execution.

A 0-click vulnerability that was identified by Jamf Threat Labs is reproduced, alongside a breakdown of how it works and why it is critical to protect your iOS-based mobile fleet from CVE-2021-30860.

Jamf Threat Labs team investigates the 0-click vulnerability affecting Wi-Fi that permits remote code execution (RCE) if exploited, triggering a Denial of Service (DoS) attack, among others. In this blog, the researchers identify what makes the vulnerability possible, how it works and deep dive into the technical details, as well as how to fix the issue to keep your iOS-based fleet protected.