WAVESHAPER functioned as the primary backdoor, establishing remote access and enabling additional payload delivery. HYPERCALL operated as a downloader, retrieving secondary components such as HIDDENCALL, which provided further command execution capabilities. This staged deployment allowed the threat actor to expand control over the compromised macOS system in phases rather than dropping a single large payload.

DEEPBREATH, a Swift-based infostealer, focused on harvesting sensitive data from the host. According to the researchers, it manipulated Apple’s Transparency, Consent, and Control (TCC) framework to access protected resources without prompting the user. That enabled the collection of browser data, keychain material, and…