Google's Threat Analysis Group (TAG) has warned about the exploitation of an undisclosed or zero-day flaw in macOS by cybercriminals. The hackers are targeting visitors to websites in Hong Kong for spying.

What happened?

Google observed that hackers were using a watering hole attack. In this attack, the websites targeted are typically selected by the attackers based on the profile of their visitors. 
  • The targeted websites were related to Hong Kong news media outlets, pro-democracy labor, and political groups. 
  • However, the name of the targeted websites was not disclosed by the researchers.
  • The attacks targeted Mac and iPhone users. Websites used in the attacks included two iframes serving exploits (one for iOS and the other for macOS) from an attacker’s server.

Exploit chains

The watering hole attack consisted of different exploit chains for iOS and Mac, which included the exploitation of several bugs chained together. 
  • The macOS exploit includes a known RCE bug (CVE-2021-1789) in WebKit and a newly discovered 0-day local privilege escalation flaw (CVE-2021-30869) in XNU.
  • After having root access, a payload was downloaded onto infected Macs that ran quietly in the background. 
  • The iOS exploit used a framework based on IronSquirrel. Researchers were not able to trace the complete chain but identified that CVE-2019-8506 was involved.

Additional insights

According to researchers, the design of the malware payload suggested that the attackers are well-resourced, and maybe state-backed, with access to their own software engineering team.
  • The payload used the publish-subscribe model with Data Distribution Service (DDS) framework to communicate with C2.
  • It has various components, some of them seem to be configured as modules.
  • The backdoor has spying features such as device fingerprint and screen captures, the ability to upload and download files, and execute terminal commands. Additionally, it can record audio and log keystrokes. 


Cybercriminals leave no stone unturned when it comes to exploiting a zero-day or unpatched flaw. However, Apple has quickly responded and patched the critical vulnerability. For better protection, organizations should have a robust and automated patching program.

Cyware Publisher