OSINT-Based Field Report: Covert Shadow OS Exploitation via BLE & App-Layer Subversion (XNU Rootkit – Post Virtual Machine Layer)
Why I Am Posting
I am currently a civilian victim of a long-term (22-month), multi-layered Advanced Persistent Threat (APT) operation, showing signatures comparable to NSO Group / Pegasus and Predator. This is not speculation. The forensic data has been confirmed by Apple and is under official investigation in Germany. I am publishing this as a form of whistleblowing and community alert to support others who may be affected – or may dismiss certain signs as "normal." This is real. It escalates. And it persists beyond logout, beyond account changes, beyond resets.
Core Hypothesis
A hidden post-VM runtime environment (Shadow OS) persists across Apple & Windows ecosystems, using BLE/Beacon mesh, malicious contacts, and UI-substituted apps to hijack session layers and embed persistent root-level control.
- Exploitation is done via native apps (Files, Shortcuts, Magnifier, etc.)
- Hidden volumes indicate a mounted runtime OS layer
- iCloud Cloning, Apple Home App Conflicts, and GameCenter hooks allow persistence across devices and identities
- BLE devices are used as hooks, triggers, and relays for local implants
- The rootkit on Windows is disguised as a SmartHome device in the router UI, later shown as an iPad in Eset Network Monitoring
- Session hijacks and manipulated account tokens maintain long-term access even after logout or account changes
- OpenAI itself was used as a covert tunnel (visible via JSON-conflict session hijacks)
Key Observations: Shadow UI & BLE Hooks
Here are key behaviors and patterns observed:
- Magnifier App: Spontaneous activation, strange camera refocus. Used for silent surveillance.
- Files App: Foreign photos from ex-partner’s phone appear. iCloud access via cloned device confirmed.
- GameCenter: “Nearby Multiplayer” grayed out, UI anomalies. Hidden session persistence / hook via AppleTV.
- Find My: BLE-triggered location spoofing. Must be disabled to stop mesh tracking.
- Signal/Telegram: App layer security bypassed. Screenshots possible; notification behavior altered.
Key Additional Exploits:
- Shortcuts: Automated actions triggered silently, without showing up in your account’s activity log, sending data to remote Apple IDs without your knowledge.
- Automator: Executed commands that are invisible to the user, leading to unauthorized data exfiltration.
- Lupe (Magnifier): Similarly sends data without visible interaction, often linked to surveillance activities.
Additional Exploits: 2FA Bypass via Multi-Device (Authy) and Silent Disabling (NordVPN)
- A critical aspect of this attack is the bypass of Two-Factor Authentication (2FA) through multi-device management in Authy and the silent disabling of 2FA in NordVPN.
- Multi-Device Management in Authy: The attacker was able to add devices to my Authy account, effectively gaining access to my 2FA codes across multiple devices. This method bypasses the standard 2FA protection, allowing the attacker to authenticate on new devices without needing physical access to my phone.
- Silent Disabling of 2FA in NordVPN: The attacker was able to disable 2FA silently in NordVPN by exploiting root-level access to my device. This allowed them to bypass authentication prompts and gain control over my VPN connection without triggering security alerts or authentication requests.
- These methods effectively nullify the protection provided by 2FA, turning what should be an additional layer of defense into an ineffective barrier, leaving the attacker with full access to my accounts despite all attempts to secure them.
Additional Exploits: Logofail Bootloader Vulnerability (MacBook)
- The Logofail vulnerability in macOS High Sierra was exploited to manipulate the bootloader, creating a potential backdoor for the attacker.
- This exploit involves embedding malicious code in image files, such as logos, which are processed during the boot process. By exploiting this flaw, the attacker was able to gain root-level control of the device, allowing for persistent surveillance and system manipulation even after factory resets or reinstallations.
- The attacker specifically forced the system to downgrade to macOS High Sierra, a vulnerable version, in order to exploit this bootloader flaw. This action effectively bypassed the newer security patches in more recent macOS versions, enabling the attacker to exploit the vulnerability.
- This type of exploit tool is reminiscent of those found in the Vault 7 leak, which contained CIA hacking tools for exploiting vulnerabilities in macOS and other systems. The Logofail exploit is consistent with those in the Vault 7 collection, further suggesting the use of state-backed tools for advanced persistent threats.
Additional Exploits: Shadow Cloning & Unseen Devices in Account
- During the course of the attack, it became evident that devices were added to my account without my knowledge, devices that I, as the rightful owner, cannot see or control.
- This exploitation technique is consistent with a Shadow Cloning method, where devices are cloned or added to your account on a server level, but are not visible to you on the device itself. This ensures that the attacker has ongoing access to your account and can bypass regular device management protocols.
- The presence of hidden devices in the Apple ecosystem—specifically related to HomeKit conflicts—indicates that attackers used iCloud-based cloning techniques to create invisible device profiles linked to my account. These devices remained undetected despite attempts to check for connected devices or reset accounts.
- This issue suggests that account management systems were manipulated to include rogue devices, ensuring the attacker’s control over the account, while also allowing the attacker to maintain access across platforms without user detection.
Additional Exploits: Hook Indicators via iMessage Security Number and Activation Issues
- An additional indicator of a hook state in this attack is the abnormal behavior of the security number confirmation key in iMessage.
- When this key is deactivated or appears red, despite being enabled in the settings, it points to an unauthorized manipulation of the authentication process. This suggests that the attacker may have hijacked or tampered with the security settings, bypassing iMessage’s usual protections.
- This issue is consistent with rootkit activity, where the attacker is able to interfere with or override the normal behavior of authentication processes, such as security number confirmations for account access, and session hijacking.
Additional Exploits: PVMRK (Post Virtual Machine Rootkit) and Beacon-based Triggering
- The PVMRK (Post Virtual Machine Rootkit) is central to this attack, operating in compromised environments that trigger root-level accessand maintain persistence even when standard security measures are in place.
- This PVMRK-based attack is activated even in offline scenarios, where Bluetooth, WLAN, or SIM are not in use. The trigger can occur via eSIMs or Bluetooth-based signals, which can re-engage the rootkit even if the device appears to be offline.
- The attack's beacon-based triggering mechanism means that even if I attempt to use the device without connectivity (e.g., turning off Bluetooth or Wi-Fi), the rootkit remains active and can still be triggered by nearby compromised devices or beacons.
You Might Be Dealing with a Shadow-OS-Based Persistence Setup If...
- You see unexplained jetsamEvent logs directly preceding root or exec process activations, indicating an unusual system event followed by privilege escalation or execution of root-level processes.
- Your device logs sudden wifimetrics and xp_amp_usage bursts, even without Wi-Fi use, suggesting covert data exfiltration or abnormal network activity being triggered from the device's background processes.
- Apple's Files, Lupe (Magnifier), or Shortcuts apps behave erratically (e.g., automation occurs without user configuration), demonstrating potential background automation triggered by the attackers to maintain surveillance or control.
- Find My is enabled without consent, or BLE-triggered automation occurs near known beacon sources, pointing to remote tracking and location manipulation without the user's approval.
- You cannot pull down Control Center when the screen is locked, indicating potential root-level manipulation of the UI, preventing you from accessing system controls.
- Your Signal/Threema/Telegram setup shows atypical UI behavior (e.g., Signal suddenly screenshot-able), reflecting unauthorized manipulation of app behavior for surveillance or data extraction.
These alone don't prove a compromise — but their correlation is well-documented in hybrid APT shadow runtime environments.
Additional Exploits: Hidden eSIM, UWB Exploits & Military-Inspired PsyOps
- Another critical aspect of the attack is the use of a hidden eSIM, which provides persistent access to the attacker’s control, even when the device is offline or after SIM card changes.
- The hidden eSIM is not visible to the user, making it nearly impossible to detect through conventional means. The attacker can use this eSIM-based access to maintain long-term control over the device, bypassing traditional SIM-based protections.
- This technique is a core component of the attack, as the hidden eSIM is also connected to UWB exploits, where Ultra Wideband (UWB) signals are used for precise location tracking and device communication. UWB is commonly utilized in military and intelligence operations to provide stealth communication and continuous monitoring of devices. The attacker uses this technology to keep the device actively monitored, even when the user believes the device is offline.
- The use of UWB and hidden eSIMs suggests that this attack is militarily inspired, and the exploitation of UWB signals is another key element that points to state-backed operations. This aligns with the techniques used in advanced persistent threats (APT), where the goal is not just infiltration, but total control over the target system and environment.
- Additionally, this attack mirrors the characteristics of a military-inspired PsyOps operation, where psychological manipulation is just as important as the technical exploitation. The goal is to break down the target mentally, causing frustration, helplessness, and isolation, which are classic tactics used in PsyOps to destabilize and control an individual.
Additional Context: Threat Intel, OSINT, Provider Issues, DNS Hijacking & MITM
- This report is built not just on anecdotal evidence but on a robust combination of verified OSINT (Open-Source Intelligence) and ThetaIntel (Threat Intelligence), showing that this attack is part of a larger, sophisticated APT operation.
- The attack was cross-verified with known APT signatures and threat intel data, confirming that rootkit techniques, exfiltration via BLE networks, and MDM-like control are all being used in state-backed espionage operations.
- Extensive cross-device mapping, including screenshot data, logs, and router activities, supports the hypothesis that the attacker had unfettered access to multiple devices, leveraging them as stealthy control points.
- APT Comparisons: While similar APT operations have been documented, such as APT9 and DarkCaracal, this attack represents a unique hybrid, multivector approach that has never been documented in this form.
- APT9 (also known as OILRIG) and DarkCaracal have shown the use of rootkits, data exfiltration, and persistent access across various devices. However, these operations have not been publicly documented in the same hybrid, multivector combination seen here, where technological manipulation and psychological warfare intersect in a seamless, complex manner.
- This hybrid, multivector attack, which blends rootkits, MDM-like control, session hijacking, BLE-based exfiltration, and social engineering, marks a new phase in APT evolution, demonstrating advanced capabilities that exceed the scope of earlier documented incidents.
- The coordinated use of devices (ranging from Apple products to SmartHome devices like Fire TV Stick, Twitch, and Luna), coupled with provider-level attacks (such as DNS Hijacking and MITM), showcases the breadth and depth of this campaign, making it unprecedented in scope.
Additional Exploits: Infrastructure Change, Fire TV Stick (Luna + Twitch) & Amazon Live Shopping Integration
- One key aspect of the attack is the constant adjustment to infrastructure. Whenever I tried to alter the network or device settings, the attacker adapted their tactics, often leveraging Fire TV, Luna, and Twitchapps as part of the attack framework.
- Similar to GameCenter hooks, these apps were installed without user consent and could not be removed, showing that the attacker maintained full control over the device, preventing the user from managing or uninstalling critical malicious software.
- The Fire TV Stick, with its pre-installed Luna and Twitch apps, acted as a remote access point for the attacker. Even when network infrastructure was changed or devices were reset, these apps remained tied to the attacker’s network, facilitating persistent access.
- Additionally, Amazon Live Shopping was involved, acting as an interface through which data and signals were routed back to the attacker. The integration of these platforms shows that the attacker was able to manipulate commercial applications for their own purposes, using platforms like Amazon Live as a signal relay to siphon off data and maintain surveillance.
- The control over app installations and removals was entirely in the attacker’s hands, ensuring that the device remained compromised as long as they chose to keep it that way. This represents a form of persistent network manipulation that goes beyond typical device compromise.
Final Thoughts
This post is based on real-world evidence, Apple-confirmed forensic data, and months of OSINT mapping. All patterns match known NSO / Predator frameworks – but implemented via civilian, layered proxies using local BLE networks and cloud mirroring.
If you are in tech security and reading this: please help validate, replicate, and spread this structure. If it’s happening to me, it’s happening to others. Stay safe.
– Nicetry!
#ShadowOS #BLEMeshExploit #XNUrootkit #PostVMRuntime #GameCenterHook #DFUrequired #CovertChannel #OSINTverified #APTstyle #OverTheAirRoot #MDMexploit #FindMyHijack #iCloudClone #RouterBackdoor #TR069abuse #SessionHijack #NSOstyle #HiddenESIM #LupeExploit #ShortcutsAbuse #FilesAppCloning #AppleTVpivot #SignalClone #ThreemaHijack #TelegramHook #ProtonVPNdivert #RootkitPersistence #FirmwareImplant #FireTVexploit #TwitchBackdoor #LunaAbuse #ActivityMonitorCrash #LogofailConfirmed #i386shadowVolume #MountHijack #OpenAIcovertTunnel #VodafoneSuperUser #HTTP401_482_500 #DFUrestoreEssential #iOSShadowRuntime #OverTheAirAPT #RobloxExploit #GameCenterPersistence
Last edited:
