Early last year, a piece of Mac malware came to light that left researchers puzzled. They knew that malware dubbed Fruitfly captured screenshots and webcam images, and they knew it had been installed on hundreds of computers in the US and elsewhere, possibly for more than a decade.

Still, the researchers didn't know who did it or why. An indictment filed Wednesday in federal court in Ohio may answer some of those questions. It alleges Fruitfly was the creation of an Ohio man who used it for more than 13 years to steal millions of images from infected computers as he took detailed notes of what he observed. 

APT28, the Russian hacking group tied to last year's interference in the 2016 presidential election, has long been known for its advanced arsenal of tools for penetrating Windows, iOS, Android, and Linux devices.

Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs. Like its counterparts for other platforms, the Mac version of Xagent is a modular backdoor that can be customized to meet the objectives of a given intrusion. Capabilities include logging passwords, snapping pictures of screen displays, and stealing iOS backups stored on the compromised Mac.

In response to more activists using Apple Mac computers instead of Windows PCs, suspected Iranian government hackers have apparently developed their own Mac-based malware, according to a new report from security researchers.

The finding highlights the constant ebb-and-flow of governments disrupting and tracking activist movements. As one group adopts a new tool or technique, state-sponsored hackers may need to adapt to get the information they're after. "This demonstrates that Iranian actors are responsive to their environment," Collin Anderson, one of the security researchers behind the report, told in an email.

Security researchers have discovered a rare piece of Mac-based espionage malware that relies on outdated coding practices but has been used in some previous real-world attacks to spy on biomedical research center computers.

Dubbed Fruitfly, the malware has remained undetected for years on macOS systems despite using unsophisticated and "antiquated code." According to the researchers, the recently discovered what they're calling "the first Mac malware of 2017" contains code that dates before OS X, which has reportedly been conducting detailed surveillance operation on targeted networks, possibly for over two years.

Seven years later, Shazam is still an amazing idea -- just press a button to know the name of the song that's currently playing. That's all well and good, but what if the music discovery tool keeps on listening, even when you turn it off?

On Monday, benevolent hacker Patrick Wardle revealed that -- on Mac computers -- the Shazam app never lets go of your laptop or desktop microphone. It continues to listen even after after you've told the app to stop listening. Don't get outraged just yet, though. It doesn't look like Shazam is doing anything malicious with that data: not saving it, processing it, or phoning it back home to servers. It's simply on when it should be off.

A number of Evernote users are now being alerted via email message of a serious bug that may cause data loss in certain versions of the company’s Mac application.

Not all Evernote Mac users were affected by this bug, however, but those who received the email will need to update their Mac app immediately in order to protect themselves from experiencing the issue. According to the email sent to users, the bug can cause images and other attachments to be deleted under specific conditions, when using Evernote for Mac. The company claims only “a small number of people” have been impacted by the glitch.

An interesting file turned out to be a sample of modular malware for MacOS X. Even after preliminary analysis it was clear that the file was not designed for any good purpose.

Further investigation showed that a backdoor, a keylogger and a Trojan-Spy were hidden inside the sample. It is particularly noteworthy that the keylogger uses an open-source kernel extension. The extension's code is publicly available, for example, on GitHub! Depending on their purpose, these files are detected. The result of the check determines where the Trojan's files will be installed: