Security researchers have uncovered a new macOS malware campaign in which threat actors are abusing Extended Validation (EV) code-signing certificates to distribute completely undetectable (FUD) disk image (DMG) payloads.
While EV certificate abuse has long plagued the Windows ecosystem, its expansion into macOS malware marks a significant escalation in code-signing exploitation.
A fresh DMG sample (SHA-256: a031ba8111ded0c11acfede9ab83b4be8274584da71bcc88ff72e2d51957dd7) was identified signed by a new Developer ID: THOMAS BOULAY DUVAL (J97GLQ5KW9).
EV certificates require rigorous identity verification and substantial financial investment by legitimate developers. On Apple’s platform, EV certificates are granted sparingly and at high cost and represent the gold standard for code-signing trust.
However, adversaries have obtained these certificates—whether by theft, purchase through illicit channels, or abuse of compromised identity documents—to sign their malware. Once signed, DMG payloads appear legitimate to macOS security checks and are readily installed by users.
The campaign operators append fragments of the signer’s name to the bundle identifier in a crude attempt to feign legitimacy—balaban.sudoku mimics “Alina Balaban,” and thomas.parfums echoes “Thomas Boulay Duval.” Despite this ploy, deeper inspection easily reveals malicious behavior.
Uncovering the Malicious Launcher
Analysis of the Mach-O executable within the DMG reveals multiple references to the French word “parfums” embedded in string tables.
The embedded AppleScript is fetched at runtime from a remote URL (franceparfumes[.]org/parfume), similar to techniques described by @osint_barbie in a recent Twitter thread.
Once executed, the AppleScript drops and runs a second-stage payload identified as Odyssey Stealer, a credential-harvesting trojan previously seen in Windows deployments.
The script invokes system APIs via Swift’s dataTaskWithURL:completionHandler: method to download the stealer binary and execute it under the signed container without raising alerts.
Operational Impact and IOCs
The threat actors’ misuse of EV certificates undermines Apple code-signing trust model. As soon as such certificates are reported and added to the revocation list, subsequent malware campaigns will fail to launch on updated systems.
However, the window of opportunity for undetected deployment can last days or weeks—enough time to compromise numerous victims.
Indicators of Compromise:
- SHA-256: a031ba8111ded0c11acfede9ab83b4be8274584da71bcc88ff72e2d51957dd7.
- Domain: franceparfumes[.]org/parfume.
- IP address: 185.93.89.62.
Security teams can monitor EV certificates abused by Odyssey Stealer via CertCentral’s public lookup at certcentral.org/lookup?detail_type=malware&query=Odyssey+Stealer, maintained by @SquiblydooBlog.
The use of EV certificates to sign macOS malware represents a troubling shift in code-signing exploitation.
Organizations and end users must remain vigilant—verifying certificate legitimacy beyond Gatekeeper prompts and leveraging threat-intelligence feeds to block malicious domains and revoked certificates.
Prompt reporting and revocation of abused EV certificates are critical to disrupting these campaigns and safeguarding macOS environments from similarly signed threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
