Get a Demo
Platform
Why SentinelOne?
Services
Partners
Resources
About
Pricing
Get a Demo
Back to Resources

SentinelOne VS Honkbox Cryptominer – macOS – Detection

Video
SentinelOne VS Honkbox Cryptominer – macOS – Detection

Honkbox is a novel piece of macOS malware in a number of ways. Its use of I2P for tunneling and, in the recent variants, its lack of a ‘traditional’ persistence mechanism show the authors prize stealth. The use of multiple detection evasion techniques and masquerades attempt to hide it from users even if they become suspicous. In addition, as some components of this multi-stage malware were not previously documented, it’s possible that some detection solutions may still have to catch up.

SentinelOne fully detects the Honkbox cryptominer and security teams are advised to review the indicators listed below. For more information about how SentinelOne can help protect your macOS fleet, contact us or request a demo.

MITRE ATT&CK
T1036 Process executable has a file extension which is uncommon
T1064 Executes commands using a shell commandline interpreter
T1070.004 Executes the “rm” command to delete files or directories
T1082 Reads the systems hostname
T1095 Performs DNS lookups
T1222 Executes the “chmod” command used to modify permissions
T1564 Executes the “mktemp” command to create a temporary unique file name
T1564.001 Creates and executes hidden MachO files
For Indicators of Compromise, visit https://www.sentinelone.com/blog/hunting-for-honkbox-multistage-macos-cryptominer-may-still-be-hiding/

Watch Now
Related Resources
Video
RSAC 2025: Join SentinelOne
Video
Is DeepSeek a Cybersecurity Threat? SentinelOne’s Alex Stamos Answers.
Video
SentinelOne and Aston Martin F1 Team
Video
LABScon24 Replay | Resilience and Protection in the Windows Ecosystem | Weston & Zetter

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform harnesses the power of data and AI to protect your organization now and into the future.

Request a Demo