Hackers are exposing an Apple Mac weakness in Middle East espionage

“Apple Macs are rarely the target of digital espionage. But in recent years, a mysterious hacker crew called WindShift has targeted specific individuals working in government departments and critical infrastructure across the Middle East,” Thomas Fox-Brewster reports for Forbes. “And they’re exploiting weaknesses believed to affect all Apple Mac models.”

“That’s according to United Arab Emirates-based researcher Taha Karim, who said the targets were located in the so-called Gulf Cooperation Council (GCC) region. That encompasses Saudi Arabia, Kuwait, the UAE, Qatar, Bahrain and Oman,” Fox-Brewster reports. “The targets were sent spear phishing emails containing a link to a site run by the hackers. Once the target clicked on the link, an attack would launch, the eventual aim of which was to download malware dubbed WindTale and WindTape.”

“Karim, a researcher at cybersecurity company DarkMatter, said the attackers had found a way to ‘bypass all native macOS security measures” Fox-Brewster reports. “He’s presenting his full findings on Thursday at the Hack In The Box conference in Singapore.”

“DarkMatter said the hackers’ web page would attempt to install a .zip file containing the malware. Once the download was completed, the malware would attempt to launch via what’s known as a ‘custom URL-scheme.’ That’s not as complex as it sounds. Developers can create their own URL scheme so that specific parts of their app will open when a link is opened,” Fox-Brewster reports. “Here’s what happens in the case of the WindShift team’s malware: First, a user visits a website that tries to install a .zip file. Inside is the malware. The Apple Safari browser will automatically unzip the file and macOS will automatically register the malware’s chosen URL scheme. The same website from which the malware was downloaded will then make a request, via the now-registered custom URL scheme, to launch the malicious software. The attackers are relying on victims to keep the site live once they’ve installed the .zip file, long enough for the malware to work.”

Read more in the full article here.

MacDailyNews Take: As Fox-Brewster explains, Apple’s latest versions of Safari will show a prompt asking the user to confirm they want to run those custom URL schemes. And if the user clicks allow, there will be another request from Apple’s Gatekeeper security feature, which will again ask the user if they really want to install the files. So, you’d have to be pretty determined to infect your Mac with malware.


  1. How, exactly, does Karim propose to fix this “weakness” without making it impossible for Mac users to install any third-party software? It is sort of like criticizing door lock manufacturers because their customers can still open the door to callers with a disguised bad intent.

    1. Karim is talking about unsolicited requests/prompts, not about a user’s voluntary visit to a site to get a download which, I think, would likely not contain any bug-ridden, offending software, otherwise we are all at great risk from any bac actor ranging from illegal criminals to legal criminals such as national and international spy agencies.

    2. Also, do this right now:

      In Safari’s Preferences, under General, UN-check the box that says: Open “safe” files after downloading.

      There is a damn good reason Apple put scare-quotes around the word “safe” here. This attack will fail immediately if you turn that off, since the zip file will remain a zip file unless you decide to open later. That means no registering some custom URL scheme, so there’s nothing for the attack link to talk to.
      That’s another layer of security on top of the fact that Safari asks if you want to open custom URL schemes.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.