Attackers Target macOS With Geacon Cobalt Strike Tool

Threat actors seen using Go-language implementation of the red-teaming tool on Intel and Apple silicon-based macOS systems.

Heads up: threat actors are now deploying a Go-language implementation of Cobalt Strike called Geacon that first surfaced on GitHub four years ago and had remained largely under the radar.
They are using the red-teaming and attack-simulation tool to target macOS systems in much the same way they have used Cobalt Strike for post-exploit activity on Windows platforms the past few years.
Security researchers at SentinelOne
reported the activity
this week after spotting several Geacon payloads appearing on VirusTotal in recent months. SentinelOnes analysis of the samples showed some were likely related to legitimate enterprise red-team exercises, while others appeared to be artifacts of malicious activity.
One malicious sample submitted to VirusTotal on April 5 is an AppleScript applet titled Xu Yiqings Resume_20230320.app that downloads an unsigned Geacon payload from a malicious server with a China-based IP address.
SentinelOne found the application is compiled for macOS systems running on either Apple or Intel silicon. The applet contains logic that helps it determine the architecture of a particular macOS system so it can download the specific Geacon payload for that device. The compiled Geacon binary itself contains an embedded PDF that first displays a resume for an individual named Xu Yiqing before beaconing out to its command and control (C2) server.
The compiled Geacon binary has a multitude of functions for tasks such as network communications, encryption, decryption, downloading further payloads, and exfiltrating data, SentinelOne said.
In another instance, SentinelOne discovered a Geacon payload embedded in a fake version of the SecureLink enterprise remote-support application. The payload appeared in VirusTotal on April 11 and targeted only Intel-based macOS systems. Unlike the previous Geacon sample, SentinelOne found the second one to be a bare-bones, unsigned application likely built with an automated tool. The app required the user to grant access to the device camera, microphone, administrator privileges, and other settings typically protected under macOSs Transparency, Consent, and Control framework. In this instance, the Geacon payload communicated with a known Cobalt Strike C2 server with an IP address based in Japan.
This is not the first time we have seen a Trojan masquerading as SecureLink with an embedded open-source attack framework, SentinelOne said. The security vendor pointed to its discovery last September of an open-source attack framework for macOS called Sliver embedded with a fake SecureLink as another example. [Its] a reminder to all that enterprise Macs are now being widely targeted by a variety of threat actors, SentinelOne said.
Attackers have long used Cobalt Strike for a variety of malicious post-exploit activities on Windows systems including for establishing command-and-control, lateral movement, payload generation, and exploit delivery. There have been instances where attackers have occasionally used Cobalt Strike to target macOS as well. One example is a typosquatting attack last year where a threat actor attempted to deploy Cobalt Strike on Windows, Linux, and macOS systems by
uploading a malicious package dubbed pymafka
to the PyPI register.
In other instances, attackers have also used a macOS focused red-teaming tool called Mythic as part of their attack chains.
The activity involving Geacon itself started shortly after an anonymous Chinese researcher using the handle z3ratu1 released two Geacon forks last October — one private and likely for sale called geacon_pro and the other public, called geacon-plus. The pro version includes some additional features like anti-virus bypassing and anti-kill capabilities, says Tom Hegel, senior threat researcher at SentinelOne.
He ascribes the sudden attacker interest in Geacon to a blog that z3ratu1 posted describing the two forks and his attempts to market his work. The original Geacon project itself was largely for protocol analysis and reverse engineering purposes, he says.
The growing malicious use of Geacon fits in with a broader pattern of growing attacker interest in macOS systems.
Earlier this year, researchers at Uptycs reported on a
novel new Mac malware sample
dubbed MacStealer that, in keeping with its name, stole documents, iCloud keychain data, browser cookies, and other data from Apple users. In April, the operators of Lockbit became the first major ransomware actor to
develop a Mac version
of their malware, setting the stage for others to follow. And last year, North Koreas notorious Lazarus Group become among the first known state-backed groups to
begin targeting Apple Macs
.
SentinelOne has released a set of indicators to help organizations identify malicious Geacon payloads.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Target macOS With Geacon Cobalt Strike Tool