Security firm Mosyle has uncovered two macOS malware samples that slipped past every major antivirus scanner without detection. The first, dubbed Phoenix Worm, is a Golang‑based cross‑platform stager that contacts a remote C2 server, generates unique IDs and prepares the host for additional payloads. The second, ShadeStager, is a modular implant designed to siphon developer credentials and cloud tokens for enterprise environments.

Both tools reflect a shift toward low‑noise, persistence‑focused attacks that have dominated Mac threats over the past year, in recent campaigns. Phoenix Worm appears to be a foothold component of a larger toolkit, lacking standalone malicious behavior and showing only limited Windows detection. ShadeStager targets SSH keys, known hosts, AWS, Azure, GCP credentials, Kubernetes configs, and browser profiles, exfiltrating data over HTTPS.

Neither sample triggered any signature in commercial AV products at the time of analysis, underscoring the limits of traditional detection. Mosyle released SHA‑256 hashes for both binaries across multiple platforms so administrators can add them to endpoint rules. The emergence of Go‑and Rust‑based macOS implants suggests security teams must prioritize behavioral monitoring and real‑time visibility to protect corporate fleets.