Mosyle Identifies Two New Invisible macOS Threats to Antivirus Engines

Publication Date: 22.04.2026

Rate this article:

4.5/5 ( 51 votes )

Table of Contents:

Last September, Mosyle, which shared exclusive details about ModStealer with 9to5Mac, returned as a leader in Apple device management and security with two new macOS threats flying completely under the radar.

According to new details shared again with 9to5Mac, the Mosyle Security Research Team has identified two previously undetected samples: Phoenix Worm, a multi-platform stager, and ShadeStager, a modular macOS implant designed for credential theft. Although these two are not directly related in how they operate, they demonstrate how sophisticated Mac malware has become.

The timing here aligns with what the rest of the industry has seen. As I reported earlier, infostealers and trojans like Atomic Stealer have been the dominant malware story on Mac over the past year; attackers are moving away from noisy attacks toward persistence. Phoenix Worm and ShadeStager do exactly that.

Phoenix Worm, a stealthy stager

Contrary to its name, Phoenix Worm is truly a stager. This Golang-based multi-platform malware is built to function as a stager. Stagers can be defined as lightweight initial payloads that are primarily designed to ensure persistence and prepare for a second wave of attacks. Instead of dropping the full payload right away, it quietly creates a foothold first. There are many advantages to doing this.

According to Mosyle, the core functionalities of Phoenix Worm include:

Communicating with a remote command and control (C2) server
Generating unique identifiers for infected systems
Transmitting system data to attackers
Supporting remote updates and payload execution

Phoenix Worm, according to Mosyle's statement to 9to5Mac, does not appear to be an independent threat. Its design strongly suggests that it is part of a broader toolkit intended to pass more advanced payloads further along the attack chain.

At the time of analysis, it was noted that no antivirus engine had detected macOS or Linux variants, with only limited detection on Windows.

ShadeStager, built for credential theft

ShadeStager is a post-exploitation tool designed to extract high-value data from already compromised systems. While this seems like a perfect match with Phoenix Worm, Mosyle indicates that the two are not connected.

In fact, ShadeStager appears to focus on developer environments and cloud infrastructure. Specifically, it targets:

SSH keys and known hosts
Cloud credentials from AWS, Azure, and GCP
Kubernetes configuration files
Git and Docker authentication data
Complete browser profiles in major browsers

Additionally, according to Mosyle, ShadeStager conducts extensive reconnaissance on the host, including user and privilege information, operating system and hardware details, network configuration, and environment variables related to cloud and SSH sessions. Everything is configured and exported over HTTPS; it comes with support for command execution, data export, and file download.

Interestingly, ShadeStager does not contain a hardcoded C2 address, and some parts of the malware's code were visible to Mosyle researchers without any additional reverse engineering work. This strongly suggests that the malware sample is still under development at the time of discovery.

Summary

Phoenix Worm and ShadeStager are not connected to each other, but they are based on the same attack model. One provides access while the other extracts credentials and cloud tokens, and neither was detected by any antivirus engine at the time of discovery.

Mac malware is moving in this direction by 2026. Attackers are writing in Go and Rust for multi-platform compatibility, sending modular payloads that separate initial access from post-exploitation, and dynamically configuring C2 infrastructure so that nothing static matches a signature. The easiest example to mention is undoubtedly Atomic Stealer, which has become the most popular and concerning malware family. This and its variants have been operating this way for some time, and the approach has been seen to emerge in unrelated samples as well.

Signature-based antivirus is no longer sufficient. Behavioral detection and real-time visibility should be a fundamental requirement for administrators and security teams defending macOS environments today.

Threat Indicators

When Mac administrators want to add these threats to their security tools, Mosyle has shared the following SHA256 hashes:

ShadeStager: 7e8003bee92832b695feb7ae86967e13a859bdac4638fa76586b9202df3d0156
Phoenix Worm: 54ef0c8d7e167053b711853057e3680d94a2130e922cf3c717adf7974888cad2

Follow Arin Waichulis: LinkedIn, Threads, X

Subscribe to the 9to5Mac Security Bite Podcast for in-depth reviews and interviews with Apple security researchers and experts:

Apple Podcasts
Spotify
Pocket Casts
RSS Feed

Comments

(7 Comments)

SY

Selen Yıldırım

I am eager to get more information about these new threats. macOS security is truly an important issue.
EÇ

Erdem Çelik

It would be nice to have more details about Phoenix Worm and ShadeStager. I am particularly curious about how to detect them.
ZK

Zeynep Korkmaz

Mosyle's findings are very important for macOS users. We are in a time when antivirus software is insufficient.
MA

Mertcan Aydın

The development of malware is really frightening. How can we take precautions against these threats?
DŞ

Derya Şenol

Such rapid changes in the security field pose a significant risk for technology users. I am waiting for more information.
BT

Barış Tunca

More training and resources should be provided for the detection of such software. Users do not know what to do.
KK

Kıvanç Kıral

We need to take Mosyle's findings into account. Malware is becoming more sophisticated every day.