Storm Cloud used its custom malware to target Asian macOS users

Storm Cloud Hacking Group GIMMICK Custom Malware Asia MacOS

A Chinese espionage threat group called Storm Cloud uses custom-made malware to target macOS users based in Asia. Researchers identified the malware used by the threat actors as GIMMICK, which is a previously unknown macOS malware strain.

The GIMMICK malware was found during an analysis of a cyberespionage attack in the latter parts of last year. They got ahold of the malware from the RAM while forensic examining a MacBook Pro with a macOS version of 11.6.

The Storm Cloud utilised the malware to target numerous organizations in Asia and was configured by the group to communicate with a Google Drive-based command-and-control server.

The purpose of the configuration is to blend in and disguise the malware on the regular network traffic.


The Storm Cloud GIMMICK malware could also infect Windows users.


Experts stated that Storm Cloud’s custom-made malware is a multi-platform tool coded in Delphi and DotNet for Windows and Objective C for macOS.

All versions of the tool utilise identical command-and-control infrastructure, patterns, paths, and Google Drive services exploits. Hence, researchers tracked it as a single tool even after having numerous code differences.

Some researchers also believed that Storm Cloud is not the tool developer but another client who bought the malware from a third-party vendor.

However, Storm Cloud has taken advantage of the malware since they deploy the tool to let the user directly launch it to the system that will install itself as a binary file PLIST. Subsequently, the malware will run by performing multiple data decoding stages. Then, it will operate a final session with Google Drive to utilise hard-coded OAuth2 information.

After the operation is finished, the tool will deploy three additional malware components: DriveManager, GCDTimerManager, and FileManager. The DriveManager is the first component to run several actions in the infected system.

The GIMMICK custom-made malware is a large and complex payload, implying that the threat actor operating it is well-funded. Additionally, the malware is advanced and can become a hostile threat for many users in the future.

About the author

Leave a Reply