Google Caught Hackers Using a Mac Zero-Day Against Hong Kong Users

"The nature of the activity and targeting is consistent with a government backed actor," the Google researchers say.
Image: Chris Ratcliffe/Bloomberg via Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Google researchers caught hackers targeting users in Hong Kong exploiting what were at the time unknown vulnerabilities in Apple’s Mac operating system. According to the researchers, the attacks have the hallmarks of government-backed hackers. 

On Thursday, Google’s Threat Analysis Group (TAG), the company’s elite team of hacker hunters, published a report detailing the hacking campaign. The researchers didn’t go as far as pointing the finger at a specific hacking group or country, but they said it was “a well resourced group, likely state backed.” 


“We do not have enough technical evidence to provide attribution and we do not speculate about attribution,” the head of TAG Shane Huntley told Motherboard in an email. “However, the nature of the activity and targeting is consistent with a government backed actor.”

Erye Hernandez, the Google researcher who found the hacking campaign and authored the report, wrote that TAG discovered the campaign in late August of this year. The hackers had set up a watering hole attack, meaning they hid malware within the legitimate websites of “a media outlet and a prominent pro-democracy labor and political group” in Hong Kong. Users who visited those websites would get hacked with an unknown vulnerability—in other words, a zero-day—and another exploit that took advantage of a previously patched vulnerability for MacOS that was used to install a backdoor on their computers, according to Hernandez. 

Apple patched the zero-day used in the campaign in an update pushed out on September 23, according to the report. 

Apple did not immediately respond to a request for comment. 

Google’s researchers were able to trigger the exploits and study them by visiting the websites compromised by the hackers. The sites served both iOS and MacOS exploit chains, but the researchers were only able to retrieve the MacOS one. The zero-day exploit was similar to another in-the-wild vulnerability analyzed by another Google researcher in the past, according to the report. 


In addition, the zero-day exploit used in this hacking campaign is “identical” to an exploit previously found by cybersecurity research group Pangu Lab, Huntley said. Pangu Lab’s researchers presented the exploit at a security conference in China in April of this year, a few months before hackers used it against Hong Kong users.  

“It was presented as an exploit targeting Big Sur, but we discovered that it also worked on Catalina,” according to Huntley. (Google classified this as a zero-day because it was unpatched in Catalina, a version of MacOS that was supported at the time.) 

Pangu Lab did respond to a request for comment sent over Twitter. 

Do you have more information about this attack? Do you track government hacking groups and APTs? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email

Patrick Wardle, a researcher who specializes in Apple products, reviewed Google’s research for Motherboard, and analyzed the malware by downloading it from Virus Total, a Google-owned malware repository. 

Wardle, who develops a suite of free and open source security tools for Mac, said that it’s not surprising to see advanced hacking groups using Mac zero-days. What’s interesting, Wardle said, is that in this case the hackers combined a previously known vulnerability—also known as an N-day—with an unknown one that they got from a conference.


“Leveraging both N-days and what appeared to be a publicly presented zero-day highlights how attackers may not have to utilize their own zero-days to successfully infect remote targets,” Wardle told Motherboard in an online chat. 

Wardle found that the software contained code strings in Chinese, such as 安装成功 (Successful installation), and that the command and control server it connected to was located in Hong Kong. 

Screen Shot 2021-11-11 at 12.12.18 PM.png

The string in Chinese contained in the malware analyzed by Wardle. (Image: Patrick Wardle)

“Based on variety of factors such as the targeting approach and victims ('visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group'), exploitation methodologies, C&C server metadata, as well as indicators extracted from the implant (such as Chinese strings) there are only plausible answers to who is behind this: China, or somebody wanting to look very much like the Chinese,” Wardle said. “Though both of course are possible, the former is far more likely.”

There’s already been a case where government hackers have repurposed exploits presented at a Chinese security conference. 

In 2017, hackers working for Chinese intelligence used an exploit presented at a well-known hacking competition to target Uyghurs, the repressed Muslim minority in China, MIT Technology Review revealed earlier this year

This latest report by TAG shows that, once again, tech and cybersecurity companies are catching an unprecedented number of zero-days in the wild. Apple, Microsoft, and several others are patching bugs that are believed to be exploited in the wild at a higher rate than past years. According to a recent count, there have been 80 zero-days caught in the wild this year. Last year, to put this number in context, there were only 25 zero-days exploited by hackers before companies had a chance to patch the bugs, according to Google, which tracks the use of zero-days. 

This is not necessarily bad news. 

“So why are we seeing more [zero-days] in 2021?” Wardle previously told Motherboard. “I'd venture a guess that there is either improved insight and detection capabilities of the use of such zero-days, or just that their use is really becoming more prolific.”

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.