My presentation “XUnprotect: Reverse Engineering macOS XProtect Remediator” at #BHUSA wrapped up yesterday. Thank you so much to everyone who attended. For those who couldn’t make it to #BHUSA, I’ll be sharing the key points from my research in this thread. (1/22)

Looks like more MacSync: 4d751dd363298589cb436d78cd302f9d794ae1e3670722a464884be908671a9c - Zoom lookalike. thanks @malwrhunterteam :) Written in Objective-C, which is beautiful and a great start to a Monday. Look a how pretty that binja Pseudo-ObjC is.♥️ Brackets! 🧵

If you’re interested in how to conceal the fact that reflectively loaded in-memory payloads have no backing file, feel free to check out my reflective loader implementation (based on @patrickwardle’s one). By using this, you can specify a fake backing file.

Want to run your compiled Mach-O payloads directly from memory without worrying if they'll be detected or captured? 😈 🔥 New blog post: "Reflective Code Loading on macOS (Part II)" https://t.co/ZfOjG1Quvq macOS 26? ✔️ Objective-C payloads? ✔️ Detection ideas (limited)? ✔️

I've updated the XPRSecretConfig repository. https://t.co/f4Pi74q7vo This repo tracks XProtect Remediator's encrypted hidden configurations, such as YARA rules, regular expressions, and file paths. I'll continue monitoring how XPR evolves.

@L0Psec Just wait, mind-blowing swift is already on-deck for the next release! (my co-workers cringing at me over-promising...)

The writeup to our #OBTS talk “CrashOne - A Starbucks Story - CVE-2025-24277“ with @gergely_kalman is up at Iru’s website. This was a cool sandbox escape + lpe on macOS. https://t.co/Vd6sRJzyk0

@nullcon is one of the best conferences I've been to, I highly recommend submitting!

Apple also introduced new APIs to implement the Conductor scanner. In this update, the GKTicket, XPCloudKitAPI, GKHash, and XPTicketDatabase classes were newly added to XPPluginAPI.

But I’m not entirely sure about this, though — if anyone has more information on this behavior, I’d really appreciate hearing from you.

I suspect some bugs in macOS prior to 15.4 may have caused these inconsistencies, and the Conductor scanner was introduced to resolve them.

I haven’t analyzed all of its behavior yet, but the scanner seems to delete entries in the Ticket database if the fetched tickets are not revoked. So, it appears to be designed to fix inconsistencies between the local Ticket database and the fetched tickets.

If it finds such hashes, it fetches the corresponding tickets using the CloudKit API.

https://t.co/Iq3AVAXvyh

It opens the /var/db/SystemPolicyConfiguration/Tickets database, which contains registered notarization tickets (see https://t.co/QUT7rCYGz5), then searches for revoked entries using “SELECT hash, hash_type FROM tickets WHERE (flags & ?1) != 0.” (where ?1 is bound to 1).

The scanner first checks if the OS version is greater than 15.4. If so, it always returns the status “Success,” then exits. Otherwise, it performs remediation actions. (2/n)

Last week, Apple updated XProtect Remediator from version 153 to 156. In this update, Apple added a new scanner called Conductor. I finally had time to analyze this scanner, so I’d like to share some of the details in this post. (1/n)

The new "XPScripts.yr" file mentioned by @howardnoakley is potentially interesting. 2 Yara rules related to AppleScript (osascript). One for browsers and another for known crypto wallets.

#OBTS was so much fun! I had the chance to attend some amazing talks and gained new insights that inspired fresh ideas for my future research. I also received valuable feedback on my own work, which gave me several points to re-examine. I’ll be tackling them one by one.

Binary Ninja plugins I developed during my XProtect Remediator research are now available in the Binary Ninja Plugin Manager! - Swift Analyzer - XProtect Remediator Analyzer - Missing Link Many thanks to @vector35 for suggesting it!

Slides from my #OBTS v8 talk "Dylib Hijacking on macOS: Dead or Alive?" 🍎☠️🤔 https://t.co/57Pjtvlnzt Turns out that dylib hijacking is (still) alive and well on macOS (26 included) due to three issues/flaws in Apple's mitigations