TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Something Phishy in the /tmp Folder

2026-03-18 · Read original ↗

ATT&CK techniques detected

4 predictions
T1555.003Credentials from Web Browsers
98%
“their credentials were abused for more malicious activity. what this incident tells us about modern mac threats there are a few big takeaways from this incident : - macos isn ’ t off the menu for attackers threat actors are increasingly targeting apple users who assume they ’ re …”
T1555.003Credentials from Web Browsers
95%
“macos infostealer designed to quietly grab as much valuable data as possible from a single machine. once the user entered their password into the fake “ macos protection service ” dialog, macsync went to work : - targeting high ‑ value data - chrome cookies and safari data - appl…”
T1555.003Credentials from Web Browsers
92%
“something phishy in the / tmp folder think your macs are immune? think again. in a recent attack observed by the huntress ai - centric soc, one employee fell for what looked like an official “ macos protection service ” prompt. what ensued was an infostealer attack that could ’ v…”
T1552.001Credentials In Files
36%
“something phishy in the / tmp folder think your macs are immune? think again. in a recent attack observed by the huntress ai - centric soc, one employee fell for what looked like an official “ macos protection service ” prompt. what ensued was an infostealer attack that could ’ v…”

Summary

Huntress’ AI-Centric SOC recently stopped a MacSync infostealer attack on a macOS device. The malware attempted to scrape credentials, browser cookies, and crypto wallets, but Huntress contained the threat before any data was sent to the attacker. Learn how we did it.