Coldroot, the Mac Malware That Does Silent System-Wide Keylogging

Coldroot RAT, the Mac Malware

Here comes news about another Mac malware that does secret system-wide keylogging.

Security researchers have now found a new Mac malware strain, which has been named Coldroot and which remains undetected by almost all antivirus tools. As per reports, Coldroot is a RAT (Random Access Trojan) that was shared online in 2016, on Github, that too as part of a joke targeting Mac users. It has been available freely on Github since 30 March 2016 and it’s actively distributed even now.

The most notable thing about Coldroot RAT is that it hasn’t yet been noticed by AV firms; it can affect all prominent desktop OSs (operating systems) and can remotely control any infected computer, that too silently.

What the experts say…

Patrick Wardle, Chief Research Officer at Digita Security, had revealed details about Coldroot in a post made on the Digita Security blog. Wardle explains that Coldroot is a ” rather ‘feature complete’ and currently undetected” malware that’s being sold on the Dark Web.

A report published by news platform HackRead says- “The details of Coldroot were revealed publicly by a security researcher and Digita Security’s chief research officer Patrick Wardle…Wardle identified that it was a “feature complete, currently undetected” malware and was being sold by its suspected author Coldzer0 on the Dark Web since 1 January 2017. He further revealed that Coldzer0 also offered potential customers information about the methods of malware customization. Furthermore, Coldzer0 posted a video stating that the cross-platform Coldroot RAT can be used for targeting MacOS, Linux, and Windows-based systems.”

An improved version of Coldroot, which has started appearing recently, comes in an illegitimate Apple audio driver, dupes users to provide their MacOS credentials and then goes on to perform system-wide keylogging, silently. The HackRead blog says- “The malware’s improved recent version was identified initially in an illegitimate Apple audio driver namely “” It is displayed as a document and asks for admin access and then silently installs and communicates with its C&C server for additional instructions. Once the user clicks on it a pop-up message appears that seems like a regular authentication message. It requests for user’s MacOS credentials. When credentials are provided, Coldroot modifies the TCC.db privacy database allowing malware the required accessibility to perform system-wide keylogging.”

Patrick Wardle says, in his blog post- “When the malware receives a command from the server to start a remote desktop session, it spawns a new thread named: ‘REMOTEDESKTOPTHREAD’. This basically sits in a while loop (until the ‘stop remote desktop’ command is issued), taking and ‘streaming’ screen captures of the user’s desktop to the remote attacker…”. He adds- “It should be noted that if no command or tasking is received from the command & control server, the malware will simply continue beaconing…interestingly, sending the name of the user’s active window in each heartbeat”

How Coldroot behaves in an infected system

The Coldroot malware, however, installs itself on the infected system and a launch daemon and thus it launches automatically every time the infected system is turned on. It captures screenshots, initiates and ends processes, searches for and uploads new files, starts remote desktop sessions, shuts down OS remotely etc.

The HackRead blog says, “Currently, it is unclear if the recent version of Coldroot is the same that was uploaded around two years back or it is a modified version of that malware. The malware still contains the contact details of its original author, which could be a deliberate attempt to deceive others by someone who picked the malware from Github and modified it with new features.”

The blog mentions Wardle’s findings too- “Wardle stated that the malware may not be able to affect newer operating systems like MacOS High Sierra particular because the system’s TCC.db is protected through System Integrity Protection (SIP). But he believes that the malware’s active distribution shows that hackers are continually trying to target MacOS and to stay protected users of MacOS must switch to the operating system’s latest version.”

Kevin Jones951 Posts

Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like and others.


Leave a Comment

comodo partner

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password