Tiny Shell
Tiny SHell is a lightweight backdoor known from open-source implementations and observed in targeted attacks against macOS users. The provided content describes it as a lightweight macOS backdoor used in APT activity, including prior in-the-wild attacks against Mac systems and an earlier campaign targeting Uyghur Mac users. One analyzed macOS sample was a modified Tiny SHell variant dubbed “TinyTim” by researcher Jaron Bradley.
In the documented macOS intrusion case, the malware was reportedly dropped onto victim systems over SSH using compromised credentials. The analyzed sample retained the core Tiny SHell backdoor functionality but added stealth and operational improvements: XOR-obfuscated strings via a custom MyDecode routine, an external INI-style configuration file, code signing, and anti-debugging using ptrace with ptrace_deny_attach. It also checked whether it was running as root, avoided connecting back to the infected host itself, and required a password before establishing a Tiny SHell session.
The sample read configuration data from a hidden path decoded as /Users/%@/Library/Fonts/.cache when executed as a basic user. Parsed configuration strings included PROG_INFO, name_masq, CONN_INFO, domain, and next_time. The C2 IP address or domain was required to be XOR-encoded in the configuration file rather than stored in plaintext, and the embedded Tiny SHell password string decoded to "free&2015." The binary was code signed with TeamIdentifier 9LDYQNSK3R, although it was not determined whether the certificate was stolen or attacker-controlled.
Relevant indicators and artifacts directly mentioned in the content include SHA-256 8029e7b12742d67fe13fcd53953e6b03ca4fa09b1d5755f8f8289eac08366efc for the analyzed macOS sample, the hidden config path /Users/%@/Library/Fonts/.cache, the TeamIdentifier 9LDYQNSK3R, and the decoded password free&2015. The content also notes that new YARA rules were added to detect Tiny Shell backdoors on Linux and UNIX systems, including a SPARC variant, using byte patterns, XOR sequences, and system call names in ELF files.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux/UNIX backdoor; content describes YARA detections for ELF variants (including SPARC) using byte patterns, XOR sequences, and syscall-name artifacts.
A lightweight macOS backdoor based on the open-source Tiny SHell project. The modified variant discussed ('TinyTim') adds XOR-encoded strings, an external INI-style config file, embedded password obfuscation, and anti-debugging checks, then connects to a command-and-control server to provide remote shell access similar to SSH.
Tiny SHell is a lightweight backdoor used in APT attacks against Mac users, providing remote access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.