Home / Threat Intelligence bulletins / 0-day in macOS used to deploy spyware as part of a watering hole campaign against website visitors in Hong Kong


Google’s Threat Analysis Group (TAG) have reported a campaign targeting visitors to pro democracy and news websites in Hong Kong. The threat actor, which Google says is likely to be state-backed, used 2 different exploit chains targeting macOS and iOS to install spyware on victims’ machines.

The macOS exploit chain used a WebKit exploit (CVE-2021-1789) patched in January and a XNU exploit (CVE-2021-30869) patched in September (and reported previously).

The iOS exploit chain was encrypted with the IRONSQUIRREL framework, meaning TAG were unable to analyse it fully but an exploit for CVE-2019-8506 (patched in iOS 12.2) was observed.


Vulnerable visitors to the websites would have their devices infected with malware which could carry out the following:
– Record audio
– Log Keystrokes
– Device fingerprint
– Access Screen captures
– The ability to upload and download files
– Carry out terminal commands

Affected Products

macOS Mojave (10.14) or Catalina (10.15)
iOS < 12.2

Indicators of Compromise

Delivery URLs

  • http://103[.]255[.]44[.]56:8372/6nE5dJzUM2wV.html
  • http://103[.]255[.]44[.]56:8371/00AnW8Lt0NEM.html
  • http://103[.]255[.]44[.]56:8371/SxYm5vpo2mGJ?rid=<redacted>
  • http://103[.]255[.]44[.]56:8371/iWBveXrdvQYQ?rid=?rid=<redacted>
  • https://appleid-server[.]com/EvgSOu39KPfT.html
  • https://www[.]apple-webservice[.]com/7pvWM74VUSn2.html
  • https://appleid-server[.]com/server.enc
  • https://amnestyhk[.]org/ss/defaultaa.html
  • https://amnestyhk[.]org/ss/4ba29d5b72266b28.html
  • https://amnestyhk[.]org/ss/mac.js


cbbfd767774de9fecc4f8d2bdc4c23595c804113a3f6246ec4dfe2b47cb4d34c (capstone.js)
bc6e488e297241864417ada3c2ab9e21539161b03391fc567b3f1e47eb5cfef9 (mac.js)

Sandbox escape / LPE



cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8 (2021 sample)
f0b12413c9d291e3b9edd1ed1496af7712184a63c066e1d5b2bb528376d66ebc (2019 sample)


Threat Landscape

A watering hole campaign is a way of targeting a group of victims by infecting a website that those people are known to visit.

The delivery URLs for this campaign reference Amnesty International, a human rights organisation which recently announced the closure of their Hong Kong office, citing security concerns.

Pro-democracy activists in Hong Kong have previously been targeted by the state as they protest against stronger national security laws.

MITRE Methodologies

T1189 – Drive-by Compromise [watering hole attack]

T1014 – Rootkit

Further Information

Analyzing a watering hole campaign using macOS exploits

About the security content of iOS 14.4 and iPadOS 14.4

About the security content of macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave

About the security content of iOS 12.5.5

About the security content of Security Update 2021-006 Catalina