Mosyle finds one of the first macOS malware samples using AI code

TL;DR

Mosyle disclosed a previously unknown macOS malware campaign that appears to incorporate code produced by generative AI models. The sample, called SimpleStealth, impersonates the Grok app, prompts for a system password to evade protections, and runs a stealthy Monero miner.

What happened

Security researchers at Mosyle shared details with 9to5Mac about a macOS malware campaign they name SimpleStealth. The threat is delivered from a look‑alike website impersonating the Grok app and distributed as a Grok.dmg installer from an observed domain (xaillc[.]com). When executed, the installer requests the user’s system password to remove Apple’s quarantine protections and stage its payload while presenting a convincing fake app UI. Behind the interface, SimpleStealth deploys a Monero (XMR) cryptocurrency miner that defers activity until the Mac is idle and ceases immediately when the user moves the mouse or types. The miner also disguises its processes by imitating common system services. Mosyle reports code artifacts consistent with generative AI output—long comments, mixed English and Brazilian Portuguese, and repetitive logic patterns—and said the sample was not detected by major antivirus engines at the time of discovery. Indicators of compromise published include the distribution name, a wallet address and multiple SHA‑256 hashes.

Why it matters

• This appears to be among the first macOS malware samples observed that include code likely produced by generative AI, suggesting attackers are adopting these tools.
• Use of convincing fake websites and UI means malicious installers can run while appearing benign, increasing the window for theft or resource abuse.
• The malware’s approach to bypassing macOS quarantine and prompting for system credentials shows continued focus on social‑engineering to defeat platform safeguards.
• Stealthy mining behavior that only runs when a device is idle and masks itself as system processes makes detection by end users more difficult.
• If AI lowers the technical barrier for malware authors, similar samples could be created and distributed more rapidly.

Key facts

• Malware family name: SimpleStealth.
• Distribution file name observed: Grok.dmg.
• Observed domain used in the campaign: xaillc[.]com.
• Primary payload: a Monero (XMR) cryptocurrency miner that activates when the Mac is idle and stops on user activity.
• At discovery, Mosyle reported the sample was not detected by major antivirus engines.
• The installer prompts for the user’s system password to remove macOS quarantine protections and prepare the payload.
• Code signs that point to generative AI authorship include lengthy comments, a mix of English and Brazilian Portuguese, and repetitive logic patterns.
• Indicators of compromise published include a Monero wallet address and several SHA‑256 hashes for components such as Grok.dmg and miner scripts.

What to watch next

• Whether additional macOS samples using generative AI code appear in the wild (not confirmed in the source).
• If antivirus vendors update detections or signatures for SimpleStealth and related artifacts (not confirmed in the source).
• Any public response or mitigation guidance from the real Grok app developer or other affected parties (not confirmed in the source).

Quick glossary

• Monero (XMR): A privacy‑focused cryptocurrency often used in illicit mining because transactions are designed to be confidential and difficult to trace.
• macOS quarantine: A macOS protection that flags downloaded files and can restrict execution until user approval to help prevent the spread of malicious software.
• Generative AI: Machine learning models that produce text, code, images or other content based on patterns learned from training data.
• Indicator of Compromise (IoC): Technical artifacts such as file hashes, domains, or wallet addresses that can be used to detect or investigate malicious activity.

Reader FAQ

Is this the first AI‑assisted macOS malware?
Mosyle and 9to5Mac report this sample appears to be one of the first macOS malware instances found in the wild that contains code consistent with generative AI output.

How does the malware spread?
The campaign uses a look‑alike website impersonating the Grok app to trick users into downloading a malicious Grok.dmg installer.

Can antivirus detect SimpleStealth?
According to Mosyle, the sample was not detected by major antivirus engines at the time of discovery.

How can users protect themselves?
The source recommends avoiding downloads from third‑party sites and obtaining apps from the Mac App Store or developers’ official websites.

Rumor Replay: iPhone Fold’s crease-free display, and more Ryan Christoffel Jan 8 2026 MAC SECURITY MALWARE Mosyle identifies one of the first known AI-assisted Mac malware threats Arin Waichulis  | Jan…

Sources

• Mosyle identifies one of the first known AI-assisted Mac malware threats
• ReaderUpdate Reforged | Melting Pot of macOS Malware …
• Mosyle Business
• Mosyle Unveils First AI-Powered Zero Trust Security for …

Related posts

• NASA orders early return of Crew-11 after in-orbit medical issue
• Iran’s government says it will ‘not back down’ amid ongoing internet blackout
• China-linked cybercriminals weaponized VMware ESXi zero-days a year early