Cuckoo is a trojan targeting macOS, first discovered in 2024. Cuckoo is a macOS spyware discovered in 2024 that combines information stealing with persistent spying capabilities. It can capture screenshots, record audio through the microphone, log keystrokes, and exfiltrate Keychain data. It is distributed through websites offering tools to convert music from streaming services. CoreLock detects this threat using CoreLock detects Cuckoo through privacy permission monitoring that flags unauthorized microphone and camera access, behavioral analysis of keylogging patterns, YARA signatures matching known Cuckoo spyware variants, and process monitoring identifying screenshot capture at suspicious intervals.
Also known as: Cuckoo Spyware, OSX.Cuckoo
Cuckoo is a macOS spyware discovered in 2024 that combines information stealing with persistent spying capabilities. It can capture screenshots, record audio through the microphone, log keystrokes, and exfiltrate Keychain data. It is distributed through websites offering tools to convert music from streaming services.
Fake music converter tools for Spotify and Apple Music ripping
Websites like DumpMedia, TuneSolo, and FoneDog offering trojanized apps
Malicious DMG files with instructions to bypass Gatekeeper
SEO-optimized download pages ranking for music conversion queries
Recently installed a music converter or streaming ripper tool
Microphone or camera indicator lights activating unexpectedly
High CPU usage from unknown background processes
Keychain access prompts you did not initiate appearing repeatedly
Delete the trojanized music converter app from /Applications. Check ~/Library/Application Support for related folders like DumpMedia or TuneSolo.
Go to System Settings > Privacy & Security > Microphone and Camera. Remove permissions for any application you do not trust.
Check ~/Library/LaunchAgents for plist files associated with the music converter. Remove any cron jobs added by the malware using crontab -e.
Cuckoo can capture keystrokes and access the Keychain. Change all passwords, enable two-factor authentication, and consider your previous typing activity compromised.
Use CoreLock to detect Cuckoo's spyware modules including audio capture, screenshot, and keylogging components that may persist independently of the main application.
Avoid unofficial tools for ripping or converting streaming music — they are common malware vectors
Review which apps have microphone and camera access in System Settings regularly
Never follow instructions to right-click and Open to bypass Gatekeeper
Use CoreLock's privacy audit to monitor which processes access your camera and microphone
Real-time Detection
CoreLock detects Cuckoo through privacy permission monitoring that flags unauthorized microphone and camera access, behavioral analysis of keylogging patterns, YARA signatures matching known Cuckoo spyware variants, and process monitoring identifying screenshot capture at suspicious intervals.
Stealer — Atomic Stealer (AMOS) is a sophisticated macOS information stealer sold as malwa...
Stealer — Banshee Stealer is a macOS information stealer that emerged in mid-2024, initial...
Stealer — MacStealer is a macOS information stealer distributed through Telegram that targ...
Cuckoo spreads through websites offering music converter tools for ripping songs from Spotify and Apple Music. Sites like DumpMedia and TuneSolo have been identified distributing trojanized applications that install the spyware.
Yes. Cuckoo can record audio through the microphone, capture screenshots, and log keystrokes. It also accesses the Keychain for stored passwords. CoreLock's privacy audit feature can alert you when apps access these resources without authorization.
Unlike pure information stealers that grab data and exit, Cuckoo persists on the system as spyware, continuously monitoring keystrokes, capturing screenshots, and recording audio. This combination of stealing and spying makes it particularly dangerous for sustained surveillance.
Download CoreLock to detect and remove Cuckoo and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows