Researchers disclosed a previously unknown macOS malware variant, identified as GIMMICK, aimed at Asian companies. The variant seems to be a custom malware used by a Chinese espionage threat actor, Storm Cloud.

What has happened?

GIMMICK was uncovered by researchers from Volexity during the analysis of a cyber espionage campaign in late-2021.
  • It was obtained from the RAM during the forensic analysis of a MacBook Pro with macOS 11.6. 
  • The malware was used in targeted attacks by Storm Cloud, which is known for targeting Asian organizations.
  • It was configured to communicate with a Google Drive-based C2 server, that too on working days, to blend with the network traffic.

More about GIMMICK 

GIMMICK is a multi-platform tool written in Objective C (macOS) or Delphi and DotNET (Windows).  
  • All variants of the tool use the same C2 architecture, behavioral patterns, file paths, and mostly abuse Google Drive services. Thus, it is tracked as one tool even after having code differences.
  • Moreover, there is the possibility that Storm Cloud bought this malware from a third-party developer.

Operational details

The tool is launched directly by the user or daemon on the system that installs itself as a binary file PLIST. Oftentimes, it mimics a heavily used application on the target machine.
  • Subsequently, the custom tool starts its operations by performing various data decoding steps and finally makes a session with Google Drive with the use of hard-coded OAuth2 credentials.
  • After starting operations, the tool loads three malware components (DriveManager, FileManager, and GCDTimerManager) with the first component used to perform different actions.


The samples of the GIMMICK malware are large and complex, which suggests the threat actor behind it seems to be well resourced. The malware is advanced and has the potential to become a dangerous threat in the future. Thus, Apple rolled out new protections to all supported macOS versions with new signatures for XProtect and MRT. Furthermore, use network traffic monitoring tools and EDR to spot the launch of daemons.
Cyware Publisher