■■■■■ The Threat actor group used two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver implants for macOS. Part of the CVE-2018-4404 exploit is likely borrowed from Metasploit framework. macOS version 10 was targeted using those exploits.
https://www.threatfabric.com/blogs/lightspy-implant-for-macos
https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos
https://t.me/cKure/14154