Mosyle, the popular Apple device management and security company, has exclusively shared the details. 9to5 mac About previously unknown macOS malware campaigns. Cryptocurrency miners on macOS aren’t new, but this discovery appears to be the first Mac malware sample to actually be found containing code for a generative AI model, officially confirming what was inevitable.
Mosyle’s security research team states that at the time of discovery, this threat was not detected by all major antivirus engines. This comes nearly a year after Moonlock Lab warned about chatter on dark web forums that showed how large-scale language models were being used to create malware targeting macOS.
The campaign, which Mosyle calls SimpleStealth, is being spread through a convincing fake website masquerading as Grok, a popular AI app. Attackers use lookalike domains to trick users into downloading a malicious macOS installer. Once launched, victims are presented with what appears to be a fully functional Grok app that looks and behaves like the real thing. This is a common technique used to keep applications front and center while malicious activity runs silently in the background, allowing malware to operate unnoticed for long periods of time.
According to Mosyle, SimpleStealth is designed to bypass macOS security safeguards on first run. The app prompts the user to enter the system password under the guise of completing a simple setup task. This allows the malware to remove Apple’s quarantine protection and prepare its actual payload. From the user’s perspective, everything looks fine as the app continues to display familiar AI-related content just like the actual Grok app.
But behind the scenes, the malware deploys a stealth cryptocurrency mining tool called Monero (XMR) on the website that boasts of “faster payments” and being “secure and untraceable.” To remain invisible, mining activity only starts when the Mac is idle for at least a minute and stops as soon as the user moves the mouse or types. Miners also disguise themselves by imitating common system processes, including: kernel_task and launchdThis makes it much more difficult for users to spot abnormal behavior.
The evidence seen by 9to5 macThe use of AI can be seen throughout the malware’s code, featuring unusually long comments, a mix of English and Brazilian Portuguese, and repetitive logic patterns characteristic of AI-generated scripts.
Overall, this situation is alarming for several reasons. The main reason is that AI is lowering the barrier to entry for attackers faster than concerns about “malware-as-a-service.” Virtually anyone with internet access can create samples like SimpleStealth, greatly accelerating the pace of new threat creation and deployment.
The best way to stay safe is to never download anything from third-party sites. Always get apps directly from the Mac App Store or from trusted developer websites.
Fforget it: Twitter/XLinkedIn, Thread
Signs of compromise
Below you can find Indicators of Compromise (IoC) in SimpleStealth samples to improve detection in your own research or organization. Be careful when accessing observed domains.
Malware family: simple stealth
Distribution name: Grok.dmg
Target platforms: macOS
Observed domain: xaillc(.)com
Wallet address: 4AcczC58XW7BvJoDq8NCG1esaMJMWjA1S2eAcg1moJvmPWhU1PQ6ZYWbPk3iMsZSqigqVNQ3cWR8MQ43xwfV2gwFA6GofS3
SHA-256 hash:
- 553ee94cf9a0acbe806580baaeaf9dea3be18365aa03775d1e263484a03f7b3e (Grok.dmg)
- e379ee007fc77296c9ad75769fd01ca77b1a5026b82400dbe7bfc8469b42d9c5 (Grok wrapper)
- 2adac881218faa21638b9d5ccc05e41c0c8f2635149c90a0e7c5650a4242260b (grok_main.py)
- 688ad7cc98cf6e4896b3e8f21794e33ee3e2077c4185bb86fcd48b63ec39771e (idle_monitor.py)
- 7813a8865cf09d34408d2d8c58452dbf4f550476c6051d3e85d516e507510aa0 (working_stealth_miner.py)
