惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

爱范儿
爱范儿
aimingoo的专栏
aimingoo的专栏
Y
Y Combinator Blog
Vercel News
Vercel News
Blog — PlanetScale
Blog — PlanetScale
有赞技术团队
有赞技术团队
P
Proofpoint News Feed
WordPress大学
WordPress大学
V
V2EX
The Register - Security
The Register - Security
博客园 - 聂微东
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - Franky
D
DataBreaches.Net
G
Google Developers Blog
O
OpenAI News
S
Schneier on Security
Simon Willison's Weblog
Simon Willison's Weblog
I
Intezer
Engineering at Meta
Engineering at Meta
Recorded Future
Recorded Future
T
Threatpost
The Hacker News
The Hacker News
Cisco Talos Blog
Cisco Talos Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
B
Blog RSS Feed
Apple Machine Learning Research
Apple Machine Learning Research
T
The Exploit Database - CXSecurity.com
L
LINUX DO - 热门话题
G
GRAHAM CLULEY
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
云风的 BLOG
云风的 BLOG
L
LINUX DO - 最新话题
MyScale Blog
MyScale Blog
L
LangChain Blog
Scott Helme
Scott Helme
大猫的无限游戏
大猫的无限游戏
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
雷峰网
雷峰网
Google Online Security Blog
Google Online Security Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
N
News | PayPal Newsroom
NISL@THU
NISL@THU
M
MIT News - Artificial intelligence
Cloudbric
Cloudbric
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The Cloudflare Blog
Recent Announcements
Recent Announcements

Cyber Security News

AIRecon: AI-Powered Penetration Testing Tool with Kali Linux Sandbox Critical Chrome Vulnerabilities Allow Attackers to Execute Arbitrary Code - Update Now! UNC3753 Uses Screen-Sharing Sessions and RMM Tools to Exfiltrate Sensitive Legal Data New OnionDrop Loader Campaign Uses gainmsg C2 to Deliver LegionLoader Payloads ClickFix Campaign Uses EtherHiding and GULoader to Infect Windows Users via Fake CAPTCHA Ghostwriter Hackers Abuse Gmail Admin-Themed Emails to Steal Credentials and 2FA Codes The Half-Life of Threat Intelligence: When Does an IOC Stop Being Useful? Critical Fortinet FortiSandbox Vulnerabilities Actively Exploited in Attacks Aembit Extends IAM for Agentic AI to Microsoft Copilot Studio India Temporarily Bans Telegram Messenger Over Medical Exam Fraud Microsoft 365 Device Code Phishing Campaign Bypasses Password Theft With Legitimate Login Flow AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic Developer laptops are the credential store attackers are picking through in 2026, GitGuardian announces Endpoint Protection Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase Novo Nordisk Confirms Cyber Attack — Hackers Accessed Patient Medical Data and Internal AI Assets Russian and Chinese Influence Actors Use AI to Evade Bot Detection and Mimic Human Behavior Microsoft Teams Analyze the Wi-Fi Hotspot Data Connected to an Employee’s Device PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions Infinite Campus Data Breach Exposes 137,000 Users Personal Details OptinMonster Plugin Hack Exposes 1.2 Million Wordpress Sites to Cyberattack Ransomware Ecosystem Consolidates Around LockBit Alumni, Qilin, Hyflock, and The Gentlemen Hackers Abuse Legitimate RMM Tools in The Quarry IRS and SSA Phishing Campaigns LiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure Microsoft Site Showing Warning Following Certificate Expiry DPAPISnoop Tool Extracts CREDHIST Hashes for Offline Windows Credential Recovery SHADOWBYT3$ Allegedly Claim Breach of Nintendo, Stealing Sensitive Data Anthropic Updated Privacy Policy to Include Identity Verification for Claude Users Critical Microsoft 365 Copilot Vulnerability Allows Attackers to Steal Data in One Click Hackers Use Microsoft Graph Reconnaissance to Target Payroll and HR Employees China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches of 758,000 Users PromptSnatcher Ad Blocker Extensions Steal AI Chats From ChatGPT, Claude, and Gemini Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT Windows 11 Update KB5094126 Freezes Systems, Forces BitLocker Recovery, and More Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence SecSuite - AI-powered Tool for OSINT, Web and API Security Testing WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild Threat Actor Malware Platform Exposed via Unlocked PHP Installation Page Criminal IP at Infosecurity Europe 2026: Introducing AITEM, the Next Chapter of Attack Surface Management Maine Takes Data Breach Reporting Portal Offline After Fake VRChat and Discord Filings 152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From Hackers Server BugHunter - Bug Bounty Toolkit Powered by Claude and Free AI Providers Splunk Enterprise Pre-Auth RCE Chain Exposes Database With Zero Authentication Anthropic Fable 5 and Mythos 5 Access Blocked to All Users Following Government Directive Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications Facebook and Instagram Down Globally, Users Reporting Multiple Issues Google Sues Chinese Cybercrime Network for Using Gemini AI to Launch Cyberattacks 400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers Critical Vulnerability Chain in LangGraph Allows Attackers to Gain Full Server Control SHEETCREEP C# RAT Abuses Google Sheets API as C2 to Target Diplomatic Organizations Authorities Dismantle Cryptocurrency Laundering Services ‘AudiA6’ Used by Ransomware Gangs Hackers Use Free Spotify Premium Hacks on TikTok and Instagram to Spread Vidar Infostealer Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secrets Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User Google Patches 28 Chrome Vulnerabilities that Allow Attackers to Execute Malicious Code Microsoft Teams for Android Vulnerability Allows Attackers to Disclose Sensitive Data Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters CISA Requires Federal Agencies to Patch Critical Vulnerabilities Within 3 Days OceanLotus APT Compromises FireAnt MetaKit in Supply-Chain Attack on Stock Investors GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers Critical Langflow Vulnerability Exploited to Execute Malicious Code Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking Researcher Hacked Google Using AI and Earned $500,000 Bug Bounty GitHub to Automate Disable npm Script Installs to Block Supply Chain Attacks Claude Mythos Turning N-Days Into N-Hours With Rapid Working Exploit Creation CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks Hackers Use Weaponized DMG Files to Target macOS Users With Infostealer Malware Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems Hackers Abuse Residential Proxy Networks to Hide Malicious Activity and Evade Detection Cybercriminals Abuse Chinese-Language Guarantee Marketplaces to Trade Stolen Credentials Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability Oracle Emergency Security Update to Fix Critical RCE Vulnerability GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan Hackers Abuse VMware-Signed Binary to Sideload NIGHTFORGE Loader in Espionage Attacks Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks Top 5 Best Tools for Simulated DDoS Attacks in 2026 Critical Vulnerability in Hugging Face Transformers Enables Remote Code Execution Attacks OWASP CVE Lite CLI - New Tool to Scan for Vulnerabilities in Your Projects Anthropic's Claude Services Down — claude.ai, Claude Code, and Cowork Affected [Updated] Hackers Publish Malicious Python Package Mimicking Legitimate Parsimonious Parser Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware New Magecart Attack Turns Stripe into a Malware Command Server Hola Browser for Windows Delivery Pipeline Compromised to Deliver Cryptominer New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation Microsoft 365 Service Degradation Bypassed Windows Driver Auto-Update Controls New SHub Stealer Variant Malware Targets Chrome, Firefox, Brave, Edge, Opera, and Crypto Wallets Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users
Using Real-Time Network Monitoring to Spot Suspicious Application Behavior on macOS
Kavichselvan · 2026-06-17 · via Cyber Security News

In this guide, we will see how real-time network monitoring helps you spot suspicious application behavior on macOS, why traditional defenses leave a visibility gap, and how a lightweight monitoring tool can close it without turning your Mac into a security lab.

Introduction: The Silent Threat in macOS

Most users assume that if they avoid pirated installers and shady downloads, they are safe. macOS has a strong reputation for security, and Gatekeeper, XProtect, and notarization do a lot of quiet work in the background to keep it that way.

But the threat model has shifted. Over the last few years, attackers have moved away from obvious malware and toward subtler vectors: supply chain attacks, compromised updates from legitimate vendors, malicious browser extensions, and seemingly innocent helper processes that quietly call home.

New macOS malware families per year

Source: objective-See, The Mac Malware annual recaps by Patrick Wardle (2019–2025)

The challenge is that traditional antivirus software looks for known signatures. A zero-day exploit, a freshly compromised update, or a hijacked helper process does not match anything in a signature database, so it slips through.

The same is true for command-and-control traffic from a legitimate-looking tool that has been backdoored upstream. The malicious behavior is not in the binary on disk. It is in the network connections the binary makes once it is running.

Our thesis is simple. Visibility is the best defense. If you can see, in real time, which applications are talking to the internet and where they are sending data, you can spot anomalies that automated tools miss. A calculator app reaching out to a server in a country you have never visited is not a signature match. It is, however, an obvious red flag to a human paying attention.

Anatomizing Suspicious Application Behavior

Before we look at tools, it helps to know what we are looking for. Suspicious network behavior tends to fall into a few well-known categories, and once you have seen each one, the patterns become hard to miss.

Unexpected Connections from Unlikely Apps

Some apps have no business talking to the internet at all. A simple image editor that runs entirely on your local files does not need to reach a remote IP. A calculator does not need a network connection. Even more mature apps that do legitimately use the network usually only contact a handful of well-known endpoints — their own update servers, an analytics provider, sometimes a license check.

When an unexpected app starts making outbound connections, or when a known app starts contacting hosts that do not match its purpose, that is the signal worth investigating. The trick is that you can only notice it if you have a baseline of what “normal” looks like, and a tool that surfaces deviations as they happen.

How Malware “Checks In”

Modern malware rarely operates in isolation. Once it lands on a machine, it typically reaches out to a command-and-control server to register itself, fetch instructions, and exfiltrate data. This pattern is so consistent that network telemetry is one of the most reliable ways to detect compromise even when the binary itself is unrecognized.

A compromised app rarely lights up the moment it lands

Source: Generalised pattern drawn from public incident write-ups by Objective-See, Mandiant M-Trends, and Jamf Threat Labs

The “check-in” often looks unremarkable on the surface – a small HTTPS request to a domain that nobody on the machine has visited in a browser, repeated on a predictable schedule. The payload that follows can be anything from a list of files to harvest, to a new dropper, to credentials lifted from a keychain. None of this is visible without watching the connections themselves.

Connections to High-Risk or Unexpected Jurisdictions

Geography is not a perfect signal, but it is a useful one. A backup app that connects only to its vendor’s region of operation is behaving normally. The same app suddenly opening a session with an IP block in a country that has no presence in its documentation is, at minimum, worth a closer look.

Tools that surface the country or autonomous system behind each connection give you a context-rich way to triage these events. You do not need to be a network analyst to recognize that an offline note-taking app pulling from a hosting provider in a sanctioned jurisdiction is not what you signed up for.

The Limitation of Built-in macOS Defenses

macOS ships with a built-in firewall, and it does a perfectly good job at its actual purpose. Understanding what that purpose is – and what it is not – is the key to seeing where the visibility gap lives.

The macOS Firewall

The native firewall in System Settings is excellent at blocking incoming connections. You can tell it to refuse all unsolicited inbound traffic, to allow only signed software to listen for connections, and to put your Mac into stealth mode so it does not respond to probes from the network. For laptop users moving between coffee shops and airports, this is genuinely useful.

What it does not do, by design, is give you granular control over outbound traffic. There is no built-in UI that lists every running process, shows you which servers each one is currently talking to, and lets you allow or deny that connection on the spot. macOS assumes that if an app is installed and trusted enough to run, its outbound connections are its own business.

For most users, that assumption is reasonable. For anyone who has watched the threat landscape change over the last few years, it is no longer enough.

The Need for Interactivity

The classic answer to outbound control on macOS is a static rule set – a long config that says “this app may reach these hosts on these ports, deny everything else.” Static rules work, but they assume you already know which connections are normal. For most apps you have just installed, you have no idea. You learn the answer the first time the rule blocks something and the app breaks in a confusing way.

Real-time, interactive prompts solve the problem from the other direction. When an app makes its first connection, the tool pauses and asks you whether to allow or deny it. You answer once, and the decision is remembered.

Over a few days of normal use, your rule set assembles itself from real behavior instead of guesswork. You also see, in the moment, every host an app is trying to contact, which is precisely the visibility you wanted in the first place.

This interactive pattern is what tools like Little Snitch popularized on macOS and what projects like LuLu and OpenSnitch have brought to a wider audience. The only real problem is that initially, such apps might ask your permission to allow or deny web access to existing apps hundreds of times per day.

For users who want the same visibility without committing to a heavy firewall or new traffic control habits, a focused monitoring tool is the lighter alternative.

Solution: Real-Time Monitoring with FireWally

FireWally is a lightweight, Apple-native network monitoring tool built specifically for transparency. It is free, requires macOS 13 or later, and is notarized by Apple. The product is intentionally narrow in scope: instead of trying to be a full enterprise firewall, it focuses on showing you what your Mac is actually doing on the network and letting you cut off any application you no longer trust.

What FireWally Shows You

Once running, FireWally enumerates every application on your Mac that is currently using the network. For each one, it surfaces the live traffic — what is being sent, what is being received, and at what rate.

There are hourly and daily traffic summaries, so you can spot a process that has been quietly chatty overnight even if you were not watching at the time. Background processes that you never opened yourself but that are still moving data show up alongside the apps you actively use.

Firewally sits in the macOS menubar and reports on the incoming and outgoing traffic

The tool also exposes Apple Intelligence-powered explanations for why a given app is connecting, so you do not have to reverse-engineer every domain name to understand whether a connection is plausible. For an app you trust, the context confirms normal behavior. For an app you do not recognize, the same context is often enough to decide that it has no good reason to be on the network.

Blocking What You Do Not Trust

Beyond observation, FireWally gives you a per-app switch to cut off internet access entirely. If you see an app calling out and you do not want it to, you block it once and move on. Because the tool is Apple-native and lightweight, you can leave it running continuously without the overhead of a full firewall stack.

The combination of live visibility, traffic history, and a single click to deny is what makes interactive monitoring practical for people who do not want to become network administrators. You get the answer to “what is this Mac actually doing right now” without standing up extra infrastructure.

Best Practices for Network Hygiene

A monitoring tool is only as useful as the habits around it. A few simple practices keep your attack surface small and your alerts meaningful.

Minimize the Attack Surface

Every app you keep installed is a potential entry point. Review your installed applications periodically and remove anything you no longer use. Pay particular attention to helper processes, browser extensions, menu bar utilities, and login items that you may have forgotten about, as these are exactly the categories attackers target because users rarely audit them.

The list of apps allowed to have Full Disk Access in macOS’ system settings

While you are at it, audit the permissions you have granted. macOS gives you a clear view of which apps have Full Disk Access, Accessibility, Camera, and Microphone rights. Revoke anything that does not still need those grants. For more on the residual files and helpers that linger after a casual uninstall, see Nektony’s notes on what standard uninstall leaves behind.

Rule of Least Privilege

The default position for any app that does not strictly need internet access should be “blocked.” Image editors that work on local files, calculators, offline note-taking apps, and most utilities can run perfectly well without a network connection.

If you discover later that an app genuinely needs to reach a server, you can allow it then. Starting permissive and tightening later almost never happens. Starting restrictive and loosening on demand is sustainable.

This is the same least-privilege principle that governs server administration, and it applies just as well to a personal laptop. Most of the time, “deny by default” costs you nothing. The exceptions are obvious and easy to handle when they come up.

Periodic Audits

Live monitoring tells you what is happening right now. Periodic audits tell you what happened while you were not looking. Use FireWally’s hourly and daily summaries to scan for anything that has been unusually chatty overnight, especially on days when your Mac was idle.

A backup app that uploaded a few hundred megabytes when no backup window was scheduled, a “helper” process you do not remember installing showing sustained traffic, a recently updated app that suddenly has new destinations – any of these is worth a moment of attention.

Firewally shows the apps that consume most traffic during the day

A quick weekly check is plenty. Most weeks you will see nothing surprising, and that is the point. The first time you do see something unexpected, you will already know how to interpret it.

Frequently Asked Questions

Is real-time network monitoring a replacement for antivirus?

No. The two address different layers. Antivirus looks at files at rest and at known signatures. Real-time network monitoring looks at process behavior on the network. They complement each other, and serious threats are usually easier to catch when both are in place.

Will running a monitoring tool slow my Mac down?

A well-designed Apple-native tool adds negligible overhead. FireWally is built specifically to stay lightweight; it surfaces traffic that the OS is already tracking rather than performing deep packet inspection.

What about VPN traffic?

Monitoring tools see the connection from each app to the local VPN client, and the VPN client’s own outbound connection. They do not see inside the tunnel itself. That is usually fine for spotting suspicious apps — the app’s local-to-VPN connection is still attributable to a specific process.

Do I need to be a security expert to make sense of what I see?

No. The first few days of using a monitoring tool double as a tour of your own system. You will quickly learn which apps are normally talkative, which background processes are part of macOS, and which destinations are routine. Once you have that baseline, anomalies stand out by themselves.

Conclusion

Modern threats on macOS are increasingly behavioral rather than signature-based, and the visibility gap is real. The built-in firewall handles inbound traffic well but leaves outbound activity largely opaque.

Closing that gap does not require an enterprise security stack. It requires a way to see what your applications are doing on the network, in real time, with enough context to decide whether each connection makes sense.

Tools like FireWally fill that role without asking you to become a network administrator. Paired with a few simple habits — minimizing your installed app footprint, defaulting to least privilege for network access, and running a quick audit each week — you get a level of transparency that catches the kinds of threats automated tools quietly miss.

Visibility, in the end, is what separates a Mac you trust from a Mac you hope is fine.