<— Back

Hidden Malice: Inside Tiny FUD’s Mac Backdoor

Tiny FUD is a dangerous Backdoor, first seen in early 2025, that targets macOS devices. It allows cybercriminals to secretly access the device, steal passwords, banking information, and take screenshots.

What makes Tiny FUD hard to detect are its clever hiding techniques. It uses DYLD injection to sneak malicious code into trusted system programs. It also changes its process name to mimic common apps such as Safari, making it difficult to spot in system monitors. The malware hides its files from the Mac Finder view, making it harder to find by a user once it burrows into the system.

To avoid macOS’s security checks, Tiny FUD uses self-signing tricks that help it appear safe. It also delays its execution slightly to evade anomaly detection and cleans up all its system traces before it exits execution. It also randomizes User Agent Strings to masquerade as regular browser HTTP traffic to remain under the radar of firewalls, and communicates with its C2 servers using stealthy encoded messaging.

In this presentation we unmask Tiny FUD’s core functionality, analysing the rare DYLD injection technique. We’ll look at how it targets the dynamic linker to ensure its covert execution and persistence, bypassing many security tools. Its relatively low prevalence indicates that threat actors are testing stealthier methods. As DYLD injection grows more sophisticated or widespread, it could pose significant detection challenges. Early understanding of this technique is crucial for future macOS defenses. The rise of such malware underscores the need for deep research and proactive security measures.