Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS

Volexity discovered and dissected a macOS variant of the multi-platform GIMMICK implant used by the Storm Cloud (Chinese espionage) actor: the report details persistence via LaunchAgents, a rotating-addition/AES configuration decoding routine, Google Drive-based command-and-control with an asynchronous GCD-driven workflow, command formats and directories, workday-only beaconing to reduce detection, a recovered SHA1 indicator, and recommended mitigations including Apple XProtect/MRT updates and YARA rules.