Overview
- Mosyle’s research team, which disclosed the finds Wednesday, reported that Phoenix Worm and ShadeStager were not flagged by major antivirus engines at discovery.
- Phoenix Worm is a Golang stager that runs on macOS, Linux, and Windows, setting persistence, contacting command servers, assigning unique IDs, and fetching follow-on payloads.
- ShadeStager is a modular macOS implant that hunts SSH keys, cloud tokens for AWS, Azure, and GCP, Kubernetes configs, Git and Docker auth, and full browser profiles.
- Researchers say ShadeStager sends structured host data over HTTPS and lacks a fixed command-and-control address, suggesting runtime configuration and complicating static defenses.
- Mosyle published SHA256 hashes for both samples and urged behavioral monitoring and credential audits as vendors work to add detections.