Welcome to the Kandji Threat Intelligence Report, our quarterly summary of emerging threats in the macOS ecosystem and how Kandji is responding in real time. In each edition, we break down key threat discoveries and the protections we’ve deployed to keep customer devices secure.
EDR Threat Detections and Responses
Kandji EDR is built to detect threats before they go mainstream. By combining behavioral detections with insights from our own vulnerability research, we’re able to protect customers from exploitation even before public disclosures or patches become available.
Atomic Stealer (AMOS) Impersonates Video App “Loom”
Detection: We discovered an AMOS variant disguising itself as popular video platform app Loom. Beware a suspicious file called “LoomSetup”, and check out the LinkedIn post for IOCs.
Response: One of these samples was not on VirusTotal; Kandji EDR protects you from InfoStealers with our comprehensive detections.
Phishing PDFs Target Gamers
Detection: We saw an increase in phishing PDFs targeting gamers, especially younger ones. These entice the victim to follow dangerous URLs and prompts, with the promise of digital currency for Roblox, Minecraft, and other popular games.
Response: We’ve classified hundreds of these samples. The pattern recognition helps us stay ahead of variants before they reach your users. Our Threat Hunters never stop hunting!
AppleProcessHub Stealer
Detection: Senior Security Researcher Chris Lopez did a deep dive on a macOS stealer with few detections. “AppleProcessHub Stealer” leverages Grand Central Dispatch, an Apple framework available on several operating systems, leverages Grand Central Dispatch to queue the block for execution at a specific interval.
Response: When malware leverages legitimate system frameworks, detection becomes more nuanced. We've been fine-tuning our behavioral analysis to distinguish between legitimate use and malicious abuse of these powerful Apple tools.
Kandji Teams Up With Binary Ninja
Detection: Speaking of Chris Lopez! He gave a reverse-engineering macOS malware training session at Objective for the We in London. Binary Ninja, our favorite analysis platform, donated licenses for students to learn malware analysis hands-on.
Response: Protecting the community today isn't enough—we believe in preparing the next generation of security professionals. When we share knowledge and build skills across the industry, everyone gets stronger.
Vulnerability Management
Kandji Vulnerability Management helps teams stay ahead of risk by identifying gaps before attackers can exploit them.
Vulnerability Response is The Missing Link
Detection: Most organizations struggle with the gap between identifying vulnerabilities and actually fixing them. Patch management often becomes a manual, time-consuming process that leaves critical systems exposed longer than necessary.
Response: Our new patch management feature in Vulnerability Response bridges that gap with Apple-specific expertise built right in. Set your risk tolerance based on vulnerability severity, and we'll handle the critical application updates automatically. We've automated the tedious work so your security teams can focus on strategic priorities.
Four New CVEs
Detection: Our researchers have dozens of vulnerabilities pending with Apple; some have already been accepted and formally noted, including 4 registered CVEs.
Response: Kandji Vulnerability Management gets the freshest macOS detections because we're not just consuming threat intelligence—we're creating it. This proactive approach means you're protected before vulnerabilities become public knowledge.
"Sploitlight": The macOS Spotlight Vulnerability?
Detection: Microsoft has recently made news for analyzing a macOS Spotlight-based TCC vulnerability, tracked as CVE-2025-31199.
Response: What they didn't mention? Kandji Principal Security Researcher, Csaba Fitzl, reported this exact vulnerability back in the Big Sur days and has been teaching courses on it ever since.
What's Coming Up
Kandji’s Security Research team is staying active beyond the keyboard. You can find us sharing knowledge and building community at these upcoming events:
- Chris Lopez @ DefCon, Malware Village, Aug 8, 2025
- Shwena Kak @ SF Bay Area Apple Admins Meetup, Aug 14, 2025
- Csaba Fitzl @ MacSysAdmin, Oct 1, 2025
- Csaba Fitzl @ Objective by the Sea, Oct 15, 2025
We're committed to staying ahead of the threat curve. Every quarter brings new challenges, and we'll be back with fresh insights, discoveries, and protection updates to keep your environment secure.