How to eliminate macOS.Macma backdoor malware from the operating system?
Written by Tomas Meskauskas on (updated)
What is macOS.Macma?
macOS.Macma is the name of a malicious program designed to steal information and spy on its victims. While outdated Catalina macOS (Macintosh operating system) versions are particularly vulnerable to this malware, it has been observed successfully operating on the newest Monterey macOS releases as well.
At the time of research, the macOS.Macma malware was actively used in Chinese-backed APT (Advanced Persistent Threat) activity. These campaigns targeted activists and journalists, primarily those who visit sites that center pro-democracy activism in Hong Kong.
macOS.Macma malware overview
macOS.Macma is an information-stealing malware with spyware capabilities. It collects the following data about the infected device - CPU (Central Processing Unit) information and model, UUID (Universally Unique Identifier), Mac address, available memory and disk space, IP (Internet Protocol) address, and so on. Once the device data fits the malware's specifications, it begins persistence-ensuring processes.
Users can encounter pop-up windows, which request permission to access the computer's Accessibility features and microphone. Even if these permissions are not granted, this does not mean that macOS.Macma is incapable of performing any malicious actions on the compromised device.
This program can record audio and video via integrated/attached microphones and cameras, take screenshots (used immediately to capture the currently opened windows), record keystrokes (keylogging), and even download files.
To summarize, macOS.Macma infections can cause severe privacy issues, financial losses, and identity theft. Since this malware has been used for politically-motivated goals, it could threaten the victims' activism.
| Name | macOS.Macma malware |
| Threat Type | Mac malware, Mac virus, Trojan, password-stealing virus, spyware. |
| Detection Names | Avast (MacOS:Macma-A [Trj]), Combo Cleaner (Trojan.MAC.Generic.109002), ESET-NOD32 (OSX/Macma.A), Kaspersky (HEUR:Trojan.OSX.Agent.gen), Full List Of Detections (VirusTotal) |
| Symptoms | Trojans-type malware is designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. |
| Distribution Methods | Infected email attachments, fake Adobe Flash Player installers, malicious online advertisements, social engineering, software 'cracks'. |
| Damage | Data and financial losses, loss of access to personal accounts, problems with browsing safety, online privacy issues. |
| Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Mac malware examples
OceanLotus is a malicious Mac-specific program used for similar purposes as macOS.Macma. XcodeSpy, Silver Sparrow, UpdateAgent, NUKESPED, and Tarmac are some other examples of malware that targets macOSes.
In general, harmful software can have various functionalities, which can be in different combinations. Trojan is a broad term referring to malware that can be capable of spying, stealing data and files, and/or allowing other malicious software into the system. Ransomware is designed to encrypt files and/or lock the device's screen to make ransom demands. Cryptominers are programs that abuse system resources to generate cryptocurrency.
Regardless of how malware operates, it endangers device and user safety. Therefore, it is crucial to remove all threats immediately upon detection.
How did macOS.Macma infiltrate my computer?
Malware is spread using phishing and social engineering techniques. Spam campaigns are often used for this purpose. Spam emails can have infectious files (e.g., archives, executables, PDF and Microsoft Office documents, JavaScript, etc.) as attachments or download links. When virulent files are opened - the infection chain is jumpstarted.
Malware is also distributed through untrustworthy download channels, e.g., unofficial and freeware sites, Peer-to-Peer sharing networks, etc.
Illegal software activation ("cracking") tools and fraudulent updaters (e.g., fake Adobe Flash Player updates) are used in malware proliferation as well. "Cracks" can cause infections instead of activating licensed products. Fake updaters infect systems by exploiting outdated software and/or by installing malicious programs.
How to avoid installation of malware?
It is advised against opening dubious and irrelevant emails. The attachment and links found in such emails - must never be opened, as they are the origins of potential infections. It is also recommended to download from official and verified sources. Additionally, all programs must be activated and updated with tools provided by legitimate developers.
It is paramount to have a dependable anti-virus installed and kept updated. This software has to be used to run regular system scans and to remove detected threats. If your computer is already infected with PUAs, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.
Screenshot of macOS.Macma asking permission to use Accessibility features:
Screenshot of macOS.Macma microphone access permissions:
Update July 24, 2024: Recent variants of macOS.Macma show ongoing development, including new logic for collecting file system listings, modified audio recording code, additional parametrization and debug logging, and new options for adjusting screenshot size and aspect ratio.
These variants also connect to a command and control IP address associated with the MgBot malware. macOS.Macma and other malware in the toolkit used by cybercriminals share code from a custom library used exclusively by the group behind these attacks.
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is "macOS.Macma"?
- STEP 1. Remove PUA related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Potentially unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Remove adware-related files and folders
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...
Check for adware generated files in the /Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: /Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the ~/Library/Application Support/ folder:
In the Go to Folder... bar, type: ~/Library/Application Support/
In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.
Check for adware generated files in the ~/Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: ~/Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the /Library/LaunchDaemons/ folder:
In the "Go to Folder..." bar, type: /Library/LaunchDaemons/
In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Remove malicious extensions from Internet browsers
Remove malicious Safari extensions:
Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".
In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious extensions from Google Chrome:
Click the Chrome menu icon 
(at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Remove malicious extensions from Mozilla Firefox:
Click the Firefox menu 
(at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
Frequently Asked Questions (FAQ)
My computer is infected with macOS.Macma malware, should I format my storage device to get rid of it?
No, formatting is unnecessary for macOS.Macma malware's removal.
What are the biggest issues that macOS.Macma malware can cause?
The threats posed by a malicious program depend on its abilities and the cyber criminals' goals. Since macOS.Macma has been used to target political activists and journalists, it can pose a threat to their persons and causes. In general, malware of this type can cause severe privacy issues, financial losses, and identity theft.
What is the purpose of macOS.Macma malware?
Malicious software is typically released to generate revenue for the cyber criminals. Other reasons are possible; in fact, macOS.Macma has been observed being used for politically-motivated attacks, specifically for APT (Advanced Persistent Threat) activity against activists and journalists.
How did macOS.Macma malware infiltrate my computer?
Malware is spread using phishing and social engineering tactics. Malicious software is distributed via drive-by downloads, spam mail, unofficial and freeware download websites, Peer-to-Peer sharing networks, online scams, illegal activation tools ("cracks"), fake updates, and so on.
Will Combo Cleaner protect me from malware?
Yes, Combo Cleaner can detect and eliminate most of the known malware infections. It is noteworthy that sophisticated malicious programs are capable of hiding deep within systems - therefore, performing a complete system scan is a must.
Outstanding!
▼ Show Discussion