Janicab
Janicab is malware associated with the DeathStalker threat actor. Public reporting referenced it alongside DeathStalker’s Evilnum and PowerSing campaigns, and researchers identified a Janicab variant used to target legal entities in the Middle East during 2020. The malware was observed using a valid Apple Developer ID to sign its code in order to bypass security restrictions. Documented capabilities include capturing screenshots and recording audio from compromised systems, then exfiltrating that data to a command-and-control server. High-confidence behaviors mentioned in the source material are screen capture, audio capture, C2 exfiltration of collected data, and use of valid code signing for defense evasion.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In late August 2020, we published an overview of DeathStalker’s profile and malicious activities, including their Janicab, Evilnum and PowerSing campaigns.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Defense Impairment
1 technique
Defense Impairment
The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.
Collection
2 techniques
Collection
"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named malware/campaign associated with DeathStalker, mentioned as part of the actor’s malicious activities.
Cross-platform (macOS/Windows) malware family; new variant observed in DeathStalker intrusions with a VBS-based final-stage implant and embedded/obfuscated tooling in the dropper.
Janicab used a valid Apple Developer ID to bypass macOS security restrictions.
Backdoor that captures audio and exfiltrates it to command-and-control infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.