A recent investigation by security researchers has uncovered a complex suite of macOS binaries, dubbed “PasivRobber,” that demonstrates advanced surveillance capabilities and a deep understanding of Apple’s operating system internals.
The suite, first identified on VirusTotal as a suspicious Mach-O file named wsus, comprises over 20 related binaries and dynamic libraries (dylibs) designed to covertly capture data from popular Chinese applications such as WeChat and QQ, as well as web browsers, email clients, and more.
Technical Analysis and Attribution
The initial discovery of the wsus binary led to the identification of a broader package, which included binaries with deceptive names mimicking legitimate Apple processes—most notably, a binary named goed, a misspelling of Apple’s geod daemon.
The suite employs obfuscation tactics, such as using .gz extensions for plugin dylibs instead of the standard .dylib, and hiding its installer from standard software lists.
Open source intelligence (OSINT) linked the developer identifiers and build paths to Chinese entities, including “Xiamen Huanya Zhongzhi Technology Partnership Enterprise” and “Meiya Pico,” both of which have documented ties to the Chinese military-industrial complex and surveillance technology sector.
The software’s focus on applications popular in China further supports the hypothesis of a Chinese origin and target user base1.
Installation and Persistence
The installation process begins with a signed package (pkg) containing a pre-install script that checks for and removes any existing persistence mechanisms before proceeding.
The post-install script verifies the macOS version (targeting systems below 14.4.1) and installs the main payload, which includes architecture-specific binaries placed in /Library/protect/wsus/bin.
Persistence is established by loading a custom LaunchDaemon with the following configuration:
json{
"KeepAlive": 1,
"Label": "goed",
"ProgramArguments": ["/Library/protect/wsus/bin/goed"],
"RunAtLoad": 1
}
Core Components and Capabilities
1. goed and wsus Binaries:The goed binary, launched at system startup, initializes the CManager class and spawns the wsus binary. wsus manages remote actions, including updates via FTP, uninstalls through RPC messages, and configuration management using encrypted .ini files (protected with TEA encryption). It leverages the Boost library for threading and uses JSON and Protobuf for RPC-based communication1.
2. Data Collection and Exfiltration:The suite targets sensitive data from instant messaging applications by injecting custom dylibs (e.g., libIMKeyTool.dylib) into QQ, WeChat, and WeCom. These dylibs use Frida-based hooks to extract message content and authentication keys. The suite also includes specialized “Robber” dylibs (libWXRobber.dylib, libNTQQRobber.dylib, libQQRobber.dylib) for further data theft from application-specific files1.
3. Network Communications:FTP is used for downloading updates, while RPC facilitates command and control operations. The suite can execute a range of RPC commands, such as retrieving system information, uninstalling itself, and capturing screenshots using the Core Graphics framework.
4. Plugins and Extensibility:Within /Library/protect/wsus/bin_arm/plugins/, 28 plugins (named zero_*.gz) act as dynamic libraries targeting various system and application files, parsing data from plists, SQLite databases, and more. Each plugin implements a _GetPluginName() function for identification and stores collected data in SQLite tables1.
5. Advanced Injection and Persistence:The center binary acts as an on-device agent, collecting system information, monitoring user activity, and maintaining communication with remote servers. It uses the apse binary (based on open-source insert_dylib code) to inject dylibs into target applications, re-signing them post-injection to maintain integrity. The suite also monitors power state changes to trigger injection routines upon system sleep events1.
Uninstall and Cleanup
A dedicated uninstall routine (CInstallProgress::Uninstall()) removes all traces of the suite, including LaunchDaemons and the /Library/protect directory, and terminates associated processes, demonstrating a focus on stealth and evasion.
PasivRobber represents a highly sophisticated surveillance toolkit, likely developed for targeted espionage against Chinese macOS users.
Its technical complexity, use of advanced injection techniques, encrypted configuration, and modular plugin architecture highlight the evolving threat landscape on macOS.
While attribution to Meiya Pico and related entities is not definitive, the evidence points strongly toward a Chinese state-linked origin.
Researchers continue to analyze the suite for additional artifacts and capabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The suite, first identified on VirusTotal as a suspicious Mach-O file named wsus, comprises over 20 related binaries and dynamic libraries designed){kind=link}