CloudMensis is a spyware targeting macOS, first discovered in 2022. CloudMensis is a sophisticated macOS spyware discovered by ESET researchers that abuses legitimate cloud storage services — including pCloud, Yandex Disk, and Dropbox — as its command-and-control channels. This makes its network traffic extremely difficult to detect since it blends in with normal cloud storage usage. CloudMensis can exfiltrate documents, capture keystrokes, take screenshots, list email messages, record audio, and steal files from removable storage. It exploits known vulnerabilities to bypass macOS Transparency, Consent, and Control (TCC) protections, allowing it to access protected data without triggering user permission prompts. CoreLock detects this threat using CoreLock detects CloudMensis through monitoring of TCC database integrity to catch unauthorized permission modifications, behavioral analysis identifying cloud storage API abuse patterns for C2 communication, YARA rules matching CloudMensis binary signatures and staging components, and anomaly detection flagging unexpected pCloud or Yandex Disk connections from processes that are not the official cloud storage clients.
Also known as: OSX.CloudMensis, Cloud Spy
CloudMensis is a sophisticated macOS spyware discovered by ESET researchers that abuses legitimate cloud storage services — including pCloud, Yandex Disk, and Dropbox — as its command-and-control channels. This makes its network traffic extremely difficult to detect since it blends in with normal cloud storage usage. CloudMensis can exfiltrate documents, capture keystrokes, take screenshots, list email messages, record audio, and steal files from removable storage. It exploits known vulnerabilities to bypass macOS Transparency, Consent, and Control (TCC) protections, allowing it to access protected data without triggering user permission prompts.
Targeted spear-phishing emails with malicious attachments aimed at specific individuals or organizations
Exploitation of known macOS vulnerabilities to gain initial access and escalate privileges
Multi-stage deployment where a first-stage dropper downloads the full spyware payload from cloud storage
Likely used in targeted espionage operations rather than mass distribution campaigns
Unexpected pCloud, Yandex Disk, or Dropbox sync activity when you are not actively using those services
TCC database modifications allowing applications camera, microphone, or screen recording access without your approval
Files appearing in ~/Library/Containers/ or ~/Library/Preferences/ with obfuscated or random names
Unusual screencapture activity or the screen briefly flashing when not taking screenshots yourself
Immediately disable Wi-Fi and Ethernet to cut the spyware's cloud-based C2 channel and prevent further data exfiltration to the attacker's cloud storage accounts.
Open Activity Monitor and look for processes with random or obfuscated names consuming network resources. CloudMensis may disguise itself using names similar to legitimate macOS services. Check for processes making connections to pCloud or Yandex Disk APIs.
Delete CloudMensis LaunchAgents and LaunchDaemons. Check ~/Library/LaunchAgents/, /Library/LaunchAgents/, and /Library/LaunchDaemons/ for suspicious plist files. Also check for login items in System Settings > General > Login Items.
CloudMensis modifies the TCC database to grant itself permissions. In Terminal: tccutil reset All (resets all app permissions — you will need to re-grant permissions to legitimate apps). Then review System Settings > Privacy & Security to ensure no unauthorized access.
CloudMensis exploits known macOS vulnerabilities. Go to System Settings > General > Software Update and install all available updates to patch the vulnerabilities it used for TCC bypass and privilege escalation.
Run a full CoreLock scan to detect CloudMensis components, verify TCC database integrity, and identify any exfiltrated data staging areas or residual cloud storage tokens used for C2 communication.
Keep macOS updated to patch the vulnerabilities CloudMensis exploits for TCC bypass
Be cautious with email attachments, especially from unknown senders or unexpected messages from known contacts
Review Privacy & Security permissions regularly in System Settings to detect unauthorized access grants
Use CoreLock to monitor for TCC database modifications and unauthorized cloud service API connections
Real-time Detection
CoreLock detects CloudMensis through monitoring of TCC database integrity to catch unauthorized permission modifications, behavioral analysis identifying cloud storage API abuse patterns for C2 communication, YARA rules matching CloudMensis binary signatures and staging components, and anomaly detection flagging unexpected pCloud or Yandex Disk connections from processes that are not the official cloud storage clients.
Trojan — XCSSET is a sophisticated macOS malware that infects Xcode developer projects. W...
RAT — OSX.Proton is a sophisticated macOS remote access trojan (RAT) that gives attack...
Trojan — Lazarus Group is a North Korean state-sponsored APT that has increasingly target...
Check which apps have camera access on your Mac and revoke access you didn't approve.
Check which apps have microphone access on your Mac and revoke access you didn't approve.
Check which apps have screen recording on your Mac and revoke access you didn't approve.
CloudMensis is notable for using legitimate cloud storage services (pCloud, Yandex Disk, Dropbox) as its command-and-control infrastructure. This means its data exfiltration traffic looks like normal cloud sync activity, making it very difficult for network monitoring tools to detect. It also actively bypasses macOS TCC protections to access your camera, microphone, and screen without triggering permission prompts.
CloudMensis appears to be used in targeted espionage operations rather than mass campaigns. It is likely deployed against specific individuals such as journalists, activists, business executives, or government officials. However, the techniques it uses may be adopted by other malware families for wider distribution. If you handle sensitive information or are in a high-risk role, you should be more vigilant.
CloudMensis exploits known macOS vulnerabilities to directly modify the TCC (Transparency, Consent, and Control) database, which stores your privacy permission settings. By modifying this database, it can grant itself access to your camera, microphone, screen recording, and files without macOS ever showing you a permission prompt. Keeping macOS updated patches these vulnerabilities.
Traditional antivirus that relies on signature matching can detect known CloudMensis binaries. However, its use of cloud storage for C2 makes network-based detection challenging since the traffic looks like normal Dropbox or pCloud usage. CoreLock addresses this by monitoring which processes are making cloud API connections and flagging unauthorized processes using cloud storage services, rather than relying solely on network traffic patterns.
Download CoreLock to detect and remove CloudMensis and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows