Hunt Mode with Nebulock
This series breaks down modern threats by focusing on the one thing attackers cannot hide: behavior. It focuses on the actions, decisions, and required steps that give away real threats. No signatures or hash hunts, just the behaviors that stay the same even when tooling changes. Hunt Mode offers guidance on how you baseline, hunt, and validate activity in your environment. To hunt these behaviors, you need basic visibility into Node.js process activity, parent-child relationships, and command-line execution. EDR process logs, DNS logs, and standard system telemetry are enough to operationalize every behavior in this breakdown.
DigitStealer represents where macOS malware is evolving. It is multi-stage, modular, and built largely from legitimate system tools. As a result, signatures, hashes, and blocklists aren't enough to detect it.
To catch it, you must hunt the behaviors it relies on.
Below is a tactic-by-tactic breakdown of the specific behaviors that matter, based on real investigation patterns. H/t to Jamf Threat Labs for dissecting the malware.
Initial Access & Execution: When Software Arrives the “Wrong Way”
DigitStealer leans heavily on DMG-based delivery and AppleScript or JXA execution chains. On macOS, those are common techniques, but the surrounding context is what exposes them.
What to Observe
- Flag DMGs that do not originate from known enterprise systems. MDM tools follow consistent patterns, but random user-initiated DMG mounts do not.
- Execution chains that do not match normal workflows. These patterns usually signal in memory execution that avoids disk artifacts.Examples include:
curl → bash → osascript- or
curl | osascript
- osascript activity outside expected automation paths. Most osascript activity comes from meeting software, automation utilities, or plugins. Hunters should review anything outside these normal paths.
Why It Stands Out
Attackers need a reliable way to get code running. Process chains and parent relationships are harder to disguise than file names.
Defense Evasion: “Am I Being Watched?” Behavior
DigitStealer checks for signs of research environments before it proceeds.
What to Observe
- sysctl calls probe Apple Silicon hardware features. Queries for
hw.optional.arm.FEAT_BTI or FEAT_SSBS rarely appear in normal activity. - Locale checks using
defaults read NSGlobalDomain AppleLocale. These checks are usually harmless, but are suspicious when tied to unusual process chains. - Broad TCC resets.
tccutil reset All from a standard user is uncommon and highly suspicious. - High-entropy or intentionally obscured command lines. Obfuscation is a strong indicator of evasion.
Why It Stands Out
Typical macOS software does not care if it is running in a VM or analysis environment, but malware does.
Credential Access: Native Tools Used the Wrong Way
DigitStealer steals passwords and secrets by abusing built-in macOS utilities instead of dropping custom tools.
What to Observe
- The
security tool invoked by scripts instead of by browsers or system services. Example:
bash → security find-generic-password
- Browsers’ credential databases accessed outside browser processes.
- Keychain database reads in fast, repeated bursts. This pattern aligns with programmatic enumeration rather than user driven activity.
Why It Stands Out
Keychain access has clear workflow patterns. When the wrong parent process touches it, it quickly becomes visible.
Collection: Gathering Data Before Leaving
Before exfiltration, DigitStealer stages data locally.
What to Observe
- Compression utilities operating on user directories. macOS normally compresses logs, not Documents or Desktop.
- Scripted screen captures. Indicators include:
screencapture launched by bash, python, or osascript- Capture flags such as
-c, -pd, or -R
- Notes database access outside Notes.app. Command line tools almost never access
notes.sqlite in legitimate workflows.
Why It Stands Out
Every infostealer must stage data. You do not need payload visibility to detect this stage, but the ability to recognize deviations from normal user activity.
Persistence: Lightweight, Scriptable, and Network-Aware
DigitStealer persists through user level Launch Agents that fetch updated payloads.
What to Observe
- Launch Agents created by scripting interpreters. Installers and MDM tools usually generate these, not bash, zsh, or Python.
ProgramArguments containing network utilities. curl, dig, nslookup, or osascript inside a Launch Agent is a strong signal.- Persistence installed under
~/Library/LaunchAgents. Attackers prefer user level persistence because it avoids privilege escalation.
Why It Stands Out
Persistence always creates a footprint, and even minimalistic agents produce traces that do not match legitimate software.
Command & Control: DNS as a Signaling Channel
DigitStealer communicates through DNS TXT records and simple HTTP POST endpoints.
What to Observe
- Repeated TXT queries with a consistent rhythm. Few legitimate applications generate frequent TXT lookups.
- Command-line DNS usage from scripting contexts. bash calling dig or nslookup is not a common workflow.
- curl repeatedly sending outbound POST requests from scripts. Development workflows do this too, but the timing and parent processes will clarify intent.
Why It Stands Out
Most macOS services rely on A and AAAA queries. TXT based C2 traffic stands out once you baseline normal DNS behavior.
Exfiltration: Data Leaving the Host the Low-Tech Way
DigitStealer exfiltrates using everyday system utilities like curl, wget, and nc.
What to Observe
- Uploads that occur immediately after compression or staging. The sequence matters more than destination.
curl sending structured payloads from bash or osascript. This action is often paired with file access to browser or wallet directories.- Large outbound POST requests from processes that do not normally communicate externally.
Why It Stands Out
You can detect these events by watching behavior that surrounds each network call.
Impact: Wallet Tampering and Electron Abuse
DigitStealer modifies cryptocurrency wallet applications to redirect or abuse funds.
What to Observe
- Unauthorized writes to Electron app resources. Targets include
app.asar, app.json in:
- Ledger Live
- Electrum
- Exodus
- Multipart file assembly. Multiple
curl downloads appended into one file using >>. - Wallet processes terminated before modification. The malware terminates wallet processes to avoid file locks.
Why It Stands Out
Electron apps do not rewrite their own internal files with shell scripts. When command line tools begin rebuilding an asar archive, something is wrong.
Behavioral Hunts Catch What Malware Can’t Hide
DigitStealer is built to avoid detection, but it still has to:
- execute
- evade
- access credentials
- collect
- persist
- communicate
- exfiltrate
- modify
Each stage leaves a behavioral fingerprint.
If you hunt the behavior instead of the indicator, you detect the attack and not just the sample.
Happy hunting!
