golby's Avatar

golby

@golby

macOS Threat and Detections Researcher @ Jamf

327
Followers 246
Following 41
Posts 21.06.2023
Joined
Posts Following

Latest posts by golby @golby

Victor just released v1.14.0 - improvements in macho module, tighter code generation in the compiler and the new “deps” command.

Congratulations to everyone involved!

github.com/VirusTotal/y...

06.03.2026 10:52 👍 4 🔁 2 💬 0 📌 0

Especially when they reference the Jamf and OpenSource Malware blogs that attribute it properly.

25.02.2026 13:16 👍 0 🔁 0 💬 0 📌 0
Post image Post image Post image Post image

Browser based ES/Mac Monitor log analyzer

- Story timelines
- Sigma rule matching
- In-depth process tree analyzer
- Much much more!

Amazing work by my coworker @txhaflaire.bsky.social

Check it out! es.decompiler.dev

#macos #malware #reverseengineering #threathunting #dfir

24.02.2026 03:11 👍 0 🔁 0 💬 0 📌 0
Post image

Ah man this got a tear out of me

22.02.2026 16:29 👍 68 🔁 21 💬 0 📌 9
Preview
GitLab Threat Intelligence Team reveals North Korean tradecraft Gain threat intelligence about North Korea’s Contagious Interview and fake IT worker campaigns and learn how GitLab disrupted their operations.

Without exaggeration, one of the most epic DPRK reports ever about.gitlab.com/blog/gitlab-...

20.02.2026 00:15 👍 32 🔁 13 💬 2 📌 2

Hello world!

#MacAdmins #MacAdmin

14.02.2026 16:03 👍 11 🔁 6 💬 0 📌 0

Some of the most popular packages on the OpenClaw official registry ClawHub are malicious
@openclaw-x.bsky.social

01.02.2026 12:19 👍 1 🔁 1 💬 0 📌 0

Welcome to my winter.

31.01.2026 16:51 👍 0 🔁 0 💬 1 📌 0

Come visit.

26.01.2026 16:01 👍 0 🔁 0 💬 1 📌 0
Preview
Apple @ Work: M.A.C.E. app is a prime example of the Mac admins community at work - 9to5Mac M.A.C.E. simplifies macOS compliance with a free GUI for the mSCP. It’s a prime example of the Mac admin community solving real IT problems.

Okay, this is friggin awesome! M.A.C.E is a great tool and I’m so proud of the work we’ve done on the #MSCP.

I’ll be honest, my compatriots do way more work than me, I’m just a tiny bit in this project. Still super cool to see here.

9to5mac.com/2026/01/24/m...

24.01.2026 14:53 👍 4 🔁 1 💬 0 📌 0

Hide your couches, Twin Cities

21.01.2026 20:00 👍 2 🔁 1 💬 0 📌 0

@craigcalcaterra.bsky.social my wife finally found them at Meijer in Toledo on her way to Michigan. They're kind of rad. Do recommend.

21.01.2026 19:20 👍 0 🔁 0 💬 0 📌 0
Preview
National Averages After First Year of Trump's Second Term

Updated the tracking sheet I made last year now that it's been a year — National Averages After First Year of Trump's Second Term docs.google.com/spreadsheets...

19.01.2026 18:37 👍 0 🔁 1 💬 0 📌 0

My daughter is a huge fan. Def worth a try.

16.01.2026 00:11 👍 0 🔁 0 💬 1 📌 0

Have you tried goodles?

16.01.2026 00:09 👍 0 🔁 0 💬 1 📌 0
Post image

#100DaysofYARA - Day 11
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.

We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.

rule at bottom
1/5

12.01.2026 14:27 👍 6 🔁 2 💬 1 📌 0
Post image

#100DaysofYARA - Day 9
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.

Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892

Rule at end
1/3

10.01.2026 19:17 👍 3 🔁 2 💬 1 📌 0

I check daily....

09.01.2026 20:29 👍 0 🔁 0 💬 0 📌 0

TIL, I didn't know yr dump [macho] produced that data. Amazing!

06.01.2026 14:21 👍 1 🔁 0 💬 1 📌 0
Post image

#100DaysofYARA - day 5
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.

When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.

Rule at end
1/7

05.01.2026 13:10 👍 7 🔁 3 💬 1 📌 0
Post image

Jamf Threat Labs observed a revamped MacSync Stealer variant delivered as a code-signed and notarized app. Unlike earlier drag-to-Terminal/ClickFix chains, it uses a more deceptive, hands-off approach. www.jamf.com/blog/macsync...

06.01.2026 11:30 👍 1 🔁 1 💬 0 📌 0
Post image Post image

I have created a website, where you can share your sample analysis (via links or posts) and search samples for training based on tags and difficulty.

If you write analysis blogs, you can share them there.
samplepedia.cc

04.01.2026 05:53 👍 14 🔁 7 💬 0 📌 1
Post image

#100DaysofYARA - Day 3
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.

If the dev is going to use hard-coded strings, lets use them to our advantage.

This thread will demo Malcat's YARA features.
Rule at end of thread
1/5

03.01.2026 15:10 👍 4 🔁 3 💬 1 📌 0
Preview
a black and white photo of a man with a stethoscope around his neck screaming . ALT: a black and white photo of a man with a stethoscope around his neck screaming .

🚨#100DaysofYARA lives!!

2 time reigning champ Yashraj
has kindly offered to take the helm for this community effort! Give the homie a follow 👊

Check the repo to contribute: github.com/100DaysofYARA

And gear up for Jan 1 when #100DaysofYARA will kick off!

28.12.2025 23:21 👍 10 🔁 4 💬 1 📌 0
Draft SP 800-70 Rev 5 is available for comment | CSRC NIST Special Publication (SP) 800-70r5 ipd (Revision 5, initial public draft), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, is now available for public c...

If you like reading NIST special publications, I got a newly revved 800-70 for you.

csrc.nist.gov/News/2025/dr...

09.12.2025 21:17 👍 2 🔁 1 💬 0 📌 0
Post image

Jamf Threat Labs warn that fake job assessments that ask you to run terminal commands could be a social engineering scheme to deploy the FlexibleFerret malware (a malware family attributed to DPRK-aligned operators) and steal your credentials. www.jamf.com/blog/flexibl...

26.11.2025 10:05 👍 0 🔁 2 💬 0 📌 0
Preview
DigitStealer: In-Depth Analysis of a New macOS Infostealer Jamf Threat Labs uncovers DigitStealer, a new macOS infostealer. Learn about its unique evasion techniques, multi-stage payload and how to protect your systems.

Another great writeup from @txhaflaire.bsky.social on a new stealer that Jamf is calling digitstealer.
www.jamf.com/blog/jtl-dig...

14.11.2025 00:29 👍 3 🔁 0 💬 0 📌 0

Oooh XProtect 5322 added XPScripts.yr. Guess they're going to start blocking malicious osascript and other interpreters now.

04.11.2025 22:09 👍 1 🔁 0 💬 0 📌 0

OBTS bound! #obtsv8

13.10.2025 21:52 👍 1 🔁 0 💬 0 📌 0
Preview
IQ Check: On-Device vs PCC — Reading the Signals Hidden on Your Mac Your Mac knows and can tell you specifically on device vs off device for Apple Intelligence

A year into Apple Intelligence, what do we know? Well your Mac knows the answers, just gotta ask the right questions.

Read “IQ Check: On-Device vs PCC — Reading the Signals Hidden on Your Mac“ by Bob Gendler on Medium: boberito.medium.com/iq-check-on-...

06.10.2025 17:11 👍 1 🔁 2 💬 0 📌 0