Silver Sparrow is a trojan targeting macOS, first discovered in 2021. Silver Sparrow was a mysterious macOS malware discovered on nearly 30,000 Macs across 153 countries in February 2021. It was notable for being one of the first malware families compiled natively for Apple Silicon (M1), though its final payload was never observed in the wild. It used the macOS Installer JavaScript API for execution, a novel technique. CoreLock detects this threat using CoreLock detects Silver Sparrow through behavioral analysis of periodic C2 beacon patterns, YARA signatures matching both Intel and M1 binary variants, file system monitoring for known infection markers like .insu, and network analysis identifying communication with known C2 infrastructure.
Also known as: SilverSparrow, Slisp
Silver Sparrow was a mysterious macOS malware discovered on nearly 30,000 Macs across 153 countries in February 2021. It was notable for being one of the first malware families compiled natively for Apple Silicon (M1), though its final payload was never observed in the wild. It used the macOS Installer JavaScript API for execution, a novel technique.
Malicious PKG installer files distributed through unknown channels
Two known variants: update.pkg (Intel) and updater.pkg (Universal binary for Intel + M1)
Distribution infrastructure suggested large-scale, coordinated deployment
File ~/Library/.insu present on disk (infection marker)
LaunchAgent plist checking a remote URL every hour
Process making periodic connections to Amazon AWS S3 buckets
PKG installer files named update.pkg or updater.pkg in recent downloads
Look for the file ~/Library/.insu — if this file exists, your Mac was infected by Silver Sparrow. Its presence was used as a self-destruct check by the malware.
Delete the malicious plist from ~/Library/LaunchAgents. It typically references a script that checks an AWS S3 URL for commands every hour.
Remove the binary from ~/Library/._insu or /tmp/agent (varies by variant). Also remove the original PKG installer file from your Downloads folder.
The malware communicated with specific AWS S3 endpoints. While these have been taken down, blocking them in your firewall adds defense-in-depth.
Run a CoreLock scan to verify full removal and check for any payload that may have been delivered before the C2 infrastructure was dismantled.
Be cautious of PKG installers from unknown sources — they can execute code via JavaScript API
Monitor network connections for unexpected periodic outbound requests
Keep macOS updated as Apple revoked the certificates used by Silver Sparrow
Use CoreLock's network monitoring to detect hourly beacon patterns typical of malware C2
Real-time Detection
CoreLock detects Silver Sparrow through behavioral analysis of periodic C2 beacon patterns, YARA signatures matching both Intel and M1 binary variants, file system monitoring for known infection markers like .insu, and network analysis identifying communication with known C2 infrastructure.
Trojan — RustBucket is a macOS backdoor attributed to BlueNoroff, a sub-group of North Ko...
Trojan — Lazarus Group is a North Korean state-sponsored APT that has increasingly target...
Trojan — XCSSET is a sophisticated macOS malware that infects Xcode developer projects. W...
The final payload of Silver Sparrow was never observed — the malware checked for commands hourly but the C2 server never delivered a second-stage payload before being taken down. Researchers believe it was positioning infrastructure for a future large-scale attack.
Nearly 30,000 Macs across 153 countries were infected. The malware had native Apple Silicon (M1) support, making it one of the first threats optimized for Apple's newest hardware at the time.
The original Silver Sparrow infrastructure has been dismantled and Apple revoked the developer certificates. However, the techniques it pioneered — PKG JavaScript API execution and M1-native binaries — have been adopted by subsequent macOS malware.
Download CoreLock to detect and remove Silver Sparrow and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows