Attackers weaponize native macOS tools in enterprise

A security research team published findings on Tuesday, April 21, 2026, showing attackers are reusing built-in macOS features to run code and move laterally across enterprise networks. The report cites macOS use in more than 45% of organizations and broad deployment among developers, DevOps engineers and administrators.

One focus is Remote Application Scripting, which sends Apple Events over the eppc protocol to control apps on another Mac. The team showed how Terminal can be used as an execution proxy: scripts are sent in Base64, decoded on the target and launched, bypassing limits that block direct shell calls through other automation components. They also used Remote Application Scripting to pull system and storage details from Finder over the network, activity that can slip past monitoring tuned only to traditional shell processes.

To reduce reliance on Remote Application Scripting being enabled, the study executed AppleScript directly over SSH by invoking osascript for command execution and user interface automation. Because these actions ride inter-process communication rather than obvious shell trees, they produce fewer conventional lineage markers. The researchers also validated remote shells that do not rely on SSH, including socat and netcat, which create interactive sessions without the authentication and log footprints defenders expect from SSH services.

For payload staging, the report stores code in Finder comments, which are saved as Spotlight metadata and not in the main file contents. Many scanners examine file data and miss metadata fields. On the target, the payload is read from metadata and executed, and a user-level LaunchAgent can trigger this chain at login. macOS displays a prompt when a shell starts this way.

Once execution is established, the team moved files using built-in tools and services. SSH-based SCP and SFTP transfers worked as expected. SMB sharing in macOS let an attacker mount a share programmatically with osascript and copy files as if they were local. Git on developer laptops accepted pushed files after a repository setting change, writing payloads to disk on push. The platform’s TFTP components moved files over UDP in both standard and non-privileged modes. SNMP traps carried Base64-encoded chunks that were reassembled on the receiver. The same socat session used for access served as a file transfer channel by injecting file contents into the shell.

On defense, the report recommends shifting from static file scanning to behavior-based monitoring of how processes spawn, communicate and use metadata. Suggested alerts include Apple Events that drive Terminal, frequent access to Finder comments and Spotlight metadata, and Base64 decoding that originates from graphical apps or automation tools. The authors advise managing inter-application control through macOS privacy settings with mobile device management, disabling Remote Application Scripting and Remote Login when not required, keeping services such as TFTP and SNMP off, enabling the built-in firewall and monitoring eppc traffic and unusual SNMP or TFTP activity on internal networks.

The study notes that macOS attack techniques remain less documented than Windows techniques and that community projects have begun cataloging native macOS binaries that can be repurposed by attackers. The authors set out to map concrete techniques that rely on default tools and to align detection guidance with common telemetry schemas.