Quick checklist (copy/paste for use)
- Disconnect from network.
- Make/secure backup (to external drive) only if safe.
- Reboot into Safe Mode (Shift on Intel; power menu on Apple Silicon).
- Check Activity Monitor for suspicious processes.
- Check Login Items / LaunchAgents / LaunchDaemons / Profiles.
- Remove suspicious apps from Applications (move to quarantine).
- Remove browser extensions & clear caches.
- Run Malwarebytes / Bitdefender / Norton full scan; quarantine/remove findings.
- Reboot normally and re-scan.
- If persistent: erase disk + reinstall macOS from Recovery, restore from clean backup.
- Change passwords from a clean device.
- Reinstall apps from trusted sources and update macOS.
- Hardening: FileVault, Firewall, automatic updates, password manager.
Full step-by-step procedure
1) Immediately isolate the Mac
- Disconnect from the Internet (unplug Ethernet, turn off Wi-Fi) to prevent data exfiltration or further download.
Why: prevents the malware from contacting command & control or spreading. (Norton / Malwarebytes recommend this as the first move.) Norton+1
2) Preserve evidence and important data (but be careful)
- If you have a good, recent backup (Time Machine or a clean clone): make a fresh backup copy now (to an external drive) so you don’t lose user data.
- If you suspect ransomware or data theft, do not connect backup drives to infected machine unless you’re sure backups are not at risk; use a separate clean machine if possible.
- Note the symptoms, exact error messages, and the time they started — this helps if you escalate to a pro.
(Apple and Malwarebytes both recommend making sure data is safe before destructive steps.) Apple Support+1
3) Try a non-destructive, simple fix first
- Quit suspicious applications; reboot and test.
- Clear browser caches and remove suspicious browser extensions first (often adware or hijackers manifest as browser problems).
Guides from Malwarebytes, LifeWire and Intego show browser extension removal as a common early step. Lifewire+1
4) Boot into Safe Mode (different by hardware / macOS)
- Intel Macs (all versions): restart and hold Shift to boot Safe Mode.
- Apple Silicon (M1/M2) Macs (commonly running macOS 11/12/13/14): shut down, then press & hold the power button until startup options appear; select your disk, hold Shift and click Continue in Safe Mode.
- In Safe Mode macOS disables many third-party drivers and startup items which prevents some malware from auto-starting; this makes manual removal and scanning more effective. (Apple + Norton explain Safe Mode differences.) Apple Support+1
5) Check Activity Monitor for suspicious processes
- With Safe Mode (or after a normal boot if Safe Mode won’t work), open Activity Monitor and look for unknown processes with high CPU, memory, or network usage.
- If you find a suspicious process: note its process name and path (right-click → “Open Files and Ports” or inspect via Terminal
ps/lsof). - Don’t kill system processes you don’t recognise without checking — Googling process names and paths helps. (Norton advises checking for suspicious processes as part of triage.) Norton
6) Inspect Login Items, LaunchAgents, LaunchDaemons, and kernel extensions
- Look in these folders for unfamiliar items and plist files:
/Library/LaunchAgents//Library/LaunchDaemons/~/Library/LaunchAgents//Library/Application Support//Library/Extensions/(kernel extensions — rarer now)
- Also check System Settings → Users & Groups → Login Items (or older macOS: System Preferences).
- Remove clearly malicious or unknown items (move to quarantine folder first). Vendor guides (Intego, Norton) describe these locations as common persistence points. support.norton.com+1
7) Check browsers for hijackers & malicious profiles
- Remove unknown browser extensions in Safari / Chrome / Firefox.
- In Safari also check Settings → Privacy & Security and Extensions; remove unknown ones and clear website data.
- Check Profiles (System Settings → Privacy & Security → Profiles) — some adware installs profiles to persist and control settings. Remove malicious profiles. LifeWire & Intego explain SearchMarquis / browser hijacker removal steps. Lifewire+1
8) Run reputable anti-malware scanners (Malwarebytes, Bitdefender, Norton, etc.)
- Install a well known macOS scanner on another clean machine if you’re concerned about downloading to infected system; but most guides accept installing on the affected Mac while offline.
- Run a full scan (not just quick) and remove/quarantine anything found. Malwarebytes is commonly recommended for adware and PUPs; Norton / Bitdefender can catch broader threats. Malwarebytes+1
- After removal, reboot normally and re-scan until clean.
9) If the tool reports persistent or complex infection → escalate the cleanup
- If malware returns after reboot (persistence), or you find files in kernel space/kernel extensions, or there’s firmware-level infection suspicion:
- Consider erasing the disk and reinstalling macOS (clean install).
- Restore only from a known-good backup (one made before the infection).
- If you must restore from a Time Machine backup, scan the backup on a clean machine first (do not reintroduce malware).
- Many guides (Malwarebytes, Norton, Apple, and community experts) recommend a clean reinstall as the surefire fix for stubborn infections. Malwarebytes+1
10) Reinstall macOS (when necessary)
- Boot into Recovery mode:
- Intel macs: restart and hold Command+R (or Option+Command+R for internet recovery).
- Apple Silicon: press&hold power until options appear → choose Options → Continue to Recovery.
- Use Disk Utility to erase the internal drive (if you choose full wipe), then Reinstall macOS from Recovery. After reinstall, run up-to-date system updates. (Apple docs explain Recovery steps.) Apple Support
11) Reset passwords and check accounts
- If you suspect credentials were stolen (phishing/malware with keylogger), change passwords from a clean device: Apple ID, email, banking, and other sensitive accounts. Enable 2FA where possible.
- Revoke suspicious app passwords/tokens (OAuth) in account security settings.
12) Reinstall apps from trusted sources and update everything
- Reinstall any apps only from official developer websites or the Mac App Store.
- Apply macOS updates (security patches) — Apple’s XProtect and Gatekeeper get updates; macOS patching reduces future risk. Apple explicitly documents XProtect and Gatekeeper as built-in defenses. Apple Support+1
13) If you had third-party AV or security tools installed, consider removing/reinstalling them properly
- Some AV products can cause conflicts if poorly removed. Use vendor uninstallers when available (e.g., Malwarebytes has uninstall steps; Intego provides uninstallers). Check vendor docs for complete removal. help.malwarebytes.com+1
14) When to get professional help
- If infection looks like a rootkit, firmware compromise, or ransomware, or if you’re unsure, stop and contact a professional data-recovery / security firm. Some threats require specialist tools and techniques. Malwarebytes and Norton both recommend escalating to pros for complex infections. Malwarebytes+1
🧠 What a rootkit actually is
A rootkit is a piece of malicious software that modifies or hides parts of the operating system to conceal other malware or give attackers persistent control with elevated privileges (“root” access).
On macOS, rootkits may:
- Replace or patch system binaries (rare today due to SIP)
- Install kernel extensions (on older versions)
- Hook low-level system calls
- Hide files, processes, or network connections
Because of macOS’s System Integrity Protection (SIP) (introduced in 10.11 El Capitan), true kernel-level rootkits are now rare, but user-space or system extension–based persistence can still happen.
Practical symptoms that can suggest a rootkit
| Type | Example signs | Why it’s suspicious |
|---|---|---|
| System behaviour | Persistent crashes, kernel panics, fans running constantly, or unexplained CPU spikes that persist even after reinstalling apps | Rootkits hook kernel or system processes |
| Invisible processes | You can see high resource use in Activity Monitor but the process name doesn’t match, or disappears quickly | Could indicate cloaked process or renamed binary |
| Network traffic | Persistent outbound connections even when idle; unusual traffic shown in ‘nettop’ or ‘lsof -i’ | Rootkits often beacon to remote servers |
| System settings revert | Security or privacy settings keep reverting after reboot (e.g., firewall off again) | Indicates deeper persistence |
| Files/folders you can’t view/delete | Even as admin you can’t remove or see certain files (‘Operation not permitted’ despite permissions) | May be protected or hidden by a kernel component |
| Antivirus/updates disabled | Security tools crash or fail to update; system updates won’t install properly | Malware interfering with system daemons |
| Survives reinstall | You erase and reinstall macOS, and infection signs return even before restoring apps | Suggests firmware or external-drive infection |
How to investigate (safely)
1. Use built-in command-line checks
From Terminal:
ps aux | grep -v '\[' | grep -v root
sudo lsof -i
kextstat | grep -v com.apple
kextstatlists loaded kernel extensions (pre–macOS 11 mainly).- Any non-Apple kexts you didn’t install (e.g., no signed vendor name) are red flags.
lsof -ishows open network connections.- Look for persistent outbound connections from odd processes.
launchctl listshows active LaunchAgents/Daemons.- Unexpected entries in
/Library/LaunchDaemonsare worth checking.
- Unexpected entries in
⚠️ If SIP is on (default), true kernel-level tampering is harder — that’s good — but if SIP is off and you didn’t turn it off, that’s extremely suspicious.
2. Use reputable third-party tools for deeper inspection
- Malwarebytes / EtreCheck / KnockKnock / Objective-See tools (by Patrick Wardle)
These inspect login items, kernel extensions, launch daemons, and hidden persistence mechanisms.- KnockKnock and BlockBlock are excellent for visualizing what runs automatically.
- Rootkit Hunter (rkhunter) is a UNIX tool, though less maintained for macOS; it can catch outdated patterns.
3. Check SIP and TCC integrity
Run:
csrutil status
If it reports disabled and you didn’t disable it, that’s serious.
Also check privacy database integrity:
tccutil reset All
4. Compare hashes of system binaries
If you suspect replacement of system files, you can use:
sudo shasum -a 256 /bin/ls
and compare against known-good Mac installation (advanced users only).
🧩 When suspicion becomes escalation
Call it a “rootkit-level” concern if you see one or more of these:
SIP disabled without your consent.
Unknown kernel extension loaded.
Malware or persistence that survives a clean macOS reinstall.
Activity Monitor, Finder, or security tools crash when examining certain files.
Firmware updates fail or revert.
At that point, stop normal use and take these actions:
Backup only necessary personal files (avoid system files).
Do a full erase and reinstall macOS from Internet Recovery (Option+Command+R or Apple Silicon equivalent).
Do not restore from Time Machine until the backup is scanned externally.
If problem persists even after a full reinstall, seek professional forensic help — this might involve Apple Authorized Service or a trusted Mac security firm.
TL;DR Root KIt Summary
| Level | What to do |
|---|---|
| Mild suspicion (odd pop-ups, slow performance) | Run Malwarebytes, check Login Items, browser extensions |
| Persistent malware that reinstalls itself | Boot Safe Mode, manually check LaunchDaemons, scan with Objective-See tools |
| SIP off, unknown kexts, infection survives clean reinstall | Treat as possible rootkit / firmware compromise → erase + reinstall; if still persists → professional forensic help |
15) Post-incident hardening & monitoring
- Enable FileVault (disk encryption), enable automatic updates, enable Firewall, use strong unique passwords and a password manager, and consider using a reputable real-time anti-malware product if you prefer (recognize tradeoffs). Monitor logs and network traffic for a while. Apple’s security guide and vendor articles recommend these protections. Apple Support+1
Version-specific notes and important differences
- Safe Mode boot keys / method
- Intel (10.11–10.15, and Intel Macs running 11–14): hold Shift at startup for Safe Mode.
- Apple Silicon (commonly running macOS 11/12/13/14 on Apple-silicon hardware): hold power to see startup options and select Safe Mode.
- (Result: Safe Mode is slightly different on Apple Silicon — steps above are version/hardware dependent.) Apple Support
- System Integrity Protection (SIP)
- SIP was introduced in macOS 10.11 (El Capitan) and remains in later macOS versions; it protects many system locations. Disabling SIP is rarely required for malware removal, and doing so reduces protection — only advanced users should alter it and only in Recovery; on Intel you use
csrutil, on Apple Silicon you use Recovery options. (Apple docs.) Apple Support
- SIP was introduced in macOS 10.11 (El Capitan) and remains in later macOS versions; it protects many system locations. Disabling SIP is rarely required for malware removal, and doing so reduces protection — only advanced users should alter it and only in Recovery; on Intel you use
- Kernel extensions & system locations changed over time
- Modern macOS (Big Sur onward) reduces reliance on third-party kernel extensions and uses system extensions / drivers differently. Malware that requires kernel access is rarer on newer macOS but more serious if present. This affects what you inspect (older kernel extensions live in
/Library/Extensionson pre-Big Sur systems). WIRED+1
- Modern macOS (Big Sur onward) reduces reliance on third-party kernel extensions and uses system extensions / drivers differently. Malware that requires kernel access is rarer on newer macOS but more serious if present. This affects what you inspect (older kernel extensions live in
- Gatekeeper & notarization
- Gatekeeper and notarization have been strengthened across macOS versions; however attackers sometimes use stolen certificates or social engineering. Gatekeeper helps but is not foolproof. (Apple security guidance + industry writeups.) Apple Support+1
- Browser-based adware / Search hijackers
- These are typically OS-agnostic and appear across 10.11 → 14. Removal method (extensions, profiles, LaunchAgents) is the same, but UI locations (System Preferences vs System Settings) differ slightly between older (10.x) and newer macOS (System Settings in 13/14). Lifewire+1
| Step | 10.11 (El Capitan) | 10.13 (High Sierra) | 10.14 (Mojave) | 10.15 (Catalina) | 11 (Big Sur) | 12 (Monterey) | 13 (Ventura) | 14 (Sonoma) |
|---|---|---|---|---|---|---|---|---|
| Disconnect network | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Backup / preserve data | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Safe Mode boot | ✅ (Shift, Intel) | ✅ (Shift) | ✅ (Shift) | ✅ (Shift) | ⚠️ (Shift on Intel; power-hold on Apple Silicon) | ⚠️ (same) | ⚠️ (same) | ⚠️ (same) |
| Check Activity Monitor | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Inspect LaunchAgents/Daemons | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Remove suspicious Apps (Applications folder) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Browser extensions / Profiles | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Run anti-malware scan (Malwarebytes/Norton) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Reinstall macOS via Recovery | ⚠️ (Command+R Intel) | ⚠️ (same) | ⚠️ (same) | ⚠️ (same) | ⚠️ (Intel vs Apple Silicon: method differs) | ⚠️ (same) | ⚠️ (same) | ⚠️ (same) |
| Use FileVault / Firewall / updates | ✅ (FileVault available) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| SIP (System Integrity Protection) controls | ✅ (SIP introduced in 10.11) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Kernel extensions location changes | ✅ (kexts common) | ✅ | ✅ | ✅ | ⚠️ (kexts deprecated; system extensions used) | ⚠️ | ⚠️ | ⚠️ |
| Vendor uninstallers (Malwarebytes/Intego) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Firmware/rootkit remediation (professional) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Notes for the table:
- Safe Mode and Recovery procedures depend on hardware (Intel vs Apple Silicon) as much as the macOS version; macOS 11+ is the first version where many Macs may be Apple Silicon, but macOS version alone doesn’t guarantee hardware. I marked Safe Mode/Recovery rows as ⚠️ for 11–14 to highlight that Apple Silicon uses a different startup method. Apple docs confirm these differences. Apple Support
- Kernel Extensions: older macOS (10.11–10.15) commonly used kexts in
/Library/Extensions; newer macOS reduces kext usage and pushes system extensions — meaning persistence/persistence locations changed over time.