MacOS gets a lot of attention for its security features, and rightfully so. Between Gatekeeper, SIP, TCC, and XProtect, it has layers upon layers designed to stop malware and alert users to anything suspicious. But while defenders are focused on flashy system popups, notarization warnings, and TCC prompts, there'

Abusing macOS resource forks to stash and stage shellcode without touching file contents, changing hashes, or triggering EDR, pure metadata-based stealth. This post dives deep into how macOS extended attributes, specifically the com.apple.ResourceFork which can be abused to hide and stage shellcode payloads without modifying file contents or

A deep dive into hiding shellcode in .manifest file, triggering it with GUI events, and evading EDRs without touching a single suspicious API. If you could: * Embed your payload in a totally legitimate XML file, * Parse it using native Windows APIs, * Execute it in-memory without touching CreateRemoteThread, VirtualAllocEx, or even

Weaponizing Apple AI for Offensive Operations Black HatBlack HatBlack Hat Apple's on device AI frameworks CoreML, Vision, AVFoundation enable powerful automation and advanced media processing. However, these same capabilities introduce a stealthy attack surface that allows for payload execution, covert data exchange, and fully AI assisted command and

Breaking the Vault: Exploiting Flaws in Credential Management Systems Credential vaults play a critical role in modern enterprise defense rotating high-value passwords, managing access, and logging activity. But they often assume that controlling the credential = controlling the access. That assumption is wrong. This post details how an attacker can persist