MaMi is a DNS hijacker that can exploit devices running macOS. The malware is distributed via an unsigned Mach-O 64-bit binary - which, at the time of writing, isn't detected by by scan engines such as VirusTotal. It was discovered by Mac security expert Patrick Wardle after a teacher reported the infection on her device. The two DNS servers the malware adds to infected hosts are: 82[.]163[.]143[.]135 and 82[.]163[.]142[.]137.

Researchers suspect it is being developed into a remote access trojan (RAT) as it appears the malware has the capacity to:

  • Install a local certificate,
  • set up custom DNS settings,
  • take screenshots,
  • hijack mouse clicks,
  • run AppleScripts,
  • get OS launch persistence,
  • download and upload files, and
  • execute commands.

However, at the time of writing it can only:

  • Get boot persistence,
  • install a local certificate, and
  • set up custom DNS server settings.

Technical Details

  • Wardle Provides technical details on MaMi here.


MacOS MalwareNJCCICmami