More threat actors leveraging Geacon in macOS attacks

Attacks against macOS devices leveraging the open-source Cobalt Strike port dubbed "Geacon" have been increasing in prevalence, according to BleepingComputer. Despite not gaining much attention since its first appearance on GitHub, Geacon has since gained traction after the emergence of Chinese-developed forks Geacon Plus and Geacon Pro last month, with the fork's inclusion in the Zhizhi Chuangyu Laboratory's public GitHub repository for red-team pen-testing tools further increasing the fork's popularity among threat actors, a SentinelOne report revealed. Malicious Geacon distribution has been observed in two instances in April, with the first involving an AppleScript applet file that loads a decoy PDF document purporting to be a resume of a certain Xu Yiqing prior to launching Geacon, which could then facilitate data encryption and decryption, data exfiltration, and further malware downloads. Meanwhile, the other campaign involved the use of a trojanized SecureLink app to deploy Geacon Pro on Intel-based Mac systems running on OS X 10.9 and later versions.