Phil Stokes ⫍🐠⫎
LightNews LightNews
banner
philofishal.bsky.social
Phil Stokes ⫍🐠⫎
@philofishal.bsky.social
1.7K followers 260 following 350 posts
macOS security researcher espousing no one's opinions but my own. Dogged follower of #lufc, at least until the world stops going round (IYKYK).
philastokes.com
Posts Replies Media Videos
philofishal.bsky.social
You know how ppl say you can't decompile run-only #AppleScript ... 😜 #macOS #security
showing comparison of source code (left) and output of AppleScript decompiler.
November 7, 2025 at 6:15 PM
philofishal.bsky.social
🙌 Updated the XProtect-Malware-Families repo to the latest version of XProtect.
💁‍♂️ The repo maps #Apple #malware names to more common names used by security vendors.
#YARA style tags so now you can search for classes of malware like 'infostealer', 'trojan'. #security
github.com/SentineLabs/...
examples of searching for malware names using xprotect-malware-families repo
November 4, 2025 at 5:57 PM
philofishal.bsky.social
OK, I’m in. 🤣 #lufc
Wilder sent off notification from Sky Sports
September 30, 2025 at 8:18 PM
philofishal.bsky.social
#Apple's update for #XProtect v5316 includes new rules for #Amos #infostealer. BUT ⚠ XProtect_MACOS_SOMA_SEENC is only detecting bytes in the x86 slice. Thin that binary and you can run the arm slice without detection. #security #macOS
Sample md5: 7f394bdf8f94b7ba9bc6031b5477f556
New YARA rule for Amos infostealer in XProtect version 5316.
September 26, 2025 at 3:43 PM
philofishal.bsky.social
Oh Amy…
September 20, 2025 at 3:19 PM
philofishal.bsky.social
Does not make for pretty reading. Hope we had a great Int’l break on the training ground and see something different today. #lufc
Leeds and Fulham form guide
September 13, 2025 at 10:42 AM
philofishal.bsky.social
Why would he be sacked? Leeds sit 12th in the table after three games. Above Manchester City, Newcastle, Fulham and Villa.
Leeds sit 12th in the table after three games. Above Manchester City, Newcastle, Fulham and Villa.
September 9, 2025 at 8:50 AM
philofishal.bsky.social
#lufc
Time to next Leeds game is 11 days
September 2, 2025 at 7:56 AM
philofishal.bsky.social
W1 D1 L1.
Enjoy your International break! #lufc
Premier league table after game week 3
August 31, 2025 at 8:33 PM
philofishal.bsky.social
What’s everyone worried about? We’re playing a team 2pts and three places below us. Should be a stroll… 😉🫣 #lufc 🤍💙💛
Premier League Table after 2 games
August 30, 2025 at 9:38 AM
philofishal.bsky.social
Cheer up! Leeds 12th or 13th after game week 2. #lufc
🦾 🤍💙💛
Leeds 12th or 13th after game week 2.
August 24, 2025 at 5:28 PM
philofishal.bsky.social
#lufc
August 23, 2025 at 3:23 PM
philofishal.bsky.social
www.theguardian.com/football/pic...
#lufc 🤍💙💛 🤣😂🤣
Cartoon
August 12, 2025 at 12:42 PM
philofishal.bsky.social
57 more days… 😱😭 #lufc
June 22, 2025 at 5:25 PM
philofishal.bsky.social
And we're straight onto XProtect v5292! New rule for ToyDrop (aka Adload) and a couple of mods to a few other rules, mostly #adware but also SOMA.G aka Amos Atomic. #macOS #security
XProtect v5292 adds a new rule for ToyDrop, also known as Adload.
April 3, 2025 at 4:28 PM
philofishal.bsky.social
Nothing much interesting in #XProtect update v5291, just a modification to a recent #Pirrit #adware rule. #macOS
XProtect v5291 modifies an existing Pirrit adware rule.
April 2, 2025 at 1:31 PM
philofishal.bsky.social
Power up your #radare2 pifc command with a $pifc alias that sorts and counts the calls in a function. #macOS #reverseengineering #r2
Use this r2 alias to sort and count calls in a function: $pifc='pifc | sort | uniq -c | awk '{print $1," x ",$3}' | sort -nr' (escape the pipes and inner quotes when using in .radarerc config file).
April 1, 2025 at 1:02 PM
philofishal.bsky.social
Up next: second-from-bottom Luton, who have just won and now decided they want to be one of the Champo’s in-form teams - fifth in the league to our miserable 12th. 🙀 #lufc
Championship form table
March 30, 2025 at 12:53 AM
philofishal.bsky.social
And the fun part is it beacons out to the C2 to let the operator know the device is ready for compromise.
Disassembly showing code related to the beacon capability.
January 20, 2025 at 3:53 PM
philofishal.bsky.social
This backdoor has the ability to execute remote commands and to take screen captures. It also self signs and attempts to hide its true name from inspection through osascript and System Events.
disassembly showing the ability to take a screencapture The malware leverages osascript and System Events.app to masquerade as a legitimate process.
January 20, 2025 at 3:53 PM
philofishal.bsky.social
That's going to result in a request to install Xcode's (current) command line tools if not already installed.
Image of dialog alert asking if the user wants to install the required command line tool 'SetFile'.
January 20, 2025 at 3:53 PM
philofishal.bsky.social
This #macOS backdoor uses /usr/bin/SetFile to hide itself in the Finder. SetFile was deprecated in Xcode 6 (that's 2014 to humans)...not sure why it makes sense to declare smth 'deprecated' then leave it in the OS for 10+ years. 🤷‍♂️ #apple #malware
SHA1: 609088c54b99432aab212f35cfe74030b52f0320
Image of disassembly showing a new macOS backdoor using the deprecated CLI tool 'SetFile'.
January 20, 2025 at 3:53 PM
philofishal.bsky.social
Thanks. 🫠
#macOS #dev
The error message reads: Could not open database file. Reason: unable to open database file.
November 29, 2024 at 2:02 PM
philofishal.bsky.social
The good old days, when you could open up a #Mac and play with the insides. 😀 #fixit #upgrade #repairability
That old 2009 MBP is still running today, too. 💜
Inside a 2009 MacBook Pro showing the components that could be removed and replaced or upgraded.
November 29, 2024 at 1:44 PM
philofishal.bsky.social
“It’s OK to eat [your enemy] because they don’t have any feelings”.
November 26, 2024 at 2:37 AM