Fix the machine · macOS

Clean & rebuild your Mac

Rescue your files safely, optionally inspect what the malware left behind, then erase and reinstall macOS so the infection is gone for certain.

Wipe-first is the honest recommendation. Malware that ran as administrator can hide in places hand-removal will miss; a clean reinstall is the only way to be sure. On Windows instead? →

Do the account steps first. Wiping the Mac does nothing about already-stolen passwords or crypto. If you haven’t yet, work through the recovery protocol before rebuilding — that’s the live emergency; this page is the cleanup.

Step 1

Rescue your files — data only, never programs

An infostealer’s job was to live among your files, so a careless copy can carry the infection onto your rebuilt machine. The rule that keeps you safe: copy documents and media; leave anything that can run.

Safe to bring back (inert data)

Documents: .pdf .docx .xlsx .pptx .txt .csv .pages .numbers
Photos & video: .jpg .png .heic .mp4 .mov
Audio: .mp3 .wav .m4a
Your Photos / Music library bundle, copied as a whole unit

Leave behind (can run / re-infect)

Apps & installers: .app .dmg .pkg .command
Scripts: .sh .py .js .scpt and shell config (.zshrc)
The hidden ~/Library folder and any dotfiles (.ssh .config .aws)
Wallet files, recovery phrases, saved-password / key exports

Don’t rescue credentials or wallets

Saved passwords, SSH/GPG keys, wallet files and recovery phrases are compromised by definition. Bringing them back carries the actual harm forward. Reissue keys fresh on the clean Mac, and migrate crypto to a new wallet with a new recovery phrase. This is the one move that undoes everything else.

Map the danger before you copy (read-only)

Run these in Safe Mode (below), offline, reading output off the screen. They only list — nothing is moved, deleted, or run. Keep the first list visible as your “don’t copy” reference.

List executables & scripts hiding in your data folders

find ~/Documents ~/Desktop ~/Downloads ~/Pictures ~/Movies ~/Music ~/Public \
  -type f \( -name "*.app" -o -name "*.dmg" -o -name "*.pkg" -o -name "*.command" \
  -o -name "*.sh" -o -name "*.py" -o -name "*.js" -o -name "*.scpt" \
  -o -name "*.plist" -o -name "*.workflow" \) 2>/dev/null

Catch anything with the executable bit set, whatever its name

find ~/Documents ~/Desktop ~/Downloads ~/Pictures ~/Movies ~/Music ~/Public \
  -type f -perm +111 2>/dev/null

A real .jpg or .pdf should never appear in that second list. Anything that does is suspect — note the name and exclude it. Also watch for the double-extension disguise (invoice.pdf.command, photo.jpg.app).

The selective-copy checklist

Tick as you go. (Ticks reset if you reload — this is a working list, not saved state.)

Show file extensions — Finder → Settings → Advanced → “Show all filename extensions” so disguises can’t hide.
Plug in an external disk you can treat as quarantined; make a folder named e.g. Rescue-2026.
Documents & Desktop — copy data files; skip anything from the find lists.
Pictures / Movies / Music — copy media, or the library bundle as a whole unit.
Downloads — be ruthless. The likeliest reservoir of installers and droppers. Copy only documents/media you truly need.
Cloud folders — don’t hand-copy. Reinstall Dropbox / iCloud / OneDrive / Box on the clean Mac and re-sync instead.
Eject and set aside the disk as untrusted until you scan it after the wipe.

Step 2 — optional

Inspect before you wipe

Entirely optional — for confirmation and peace of mind. If your goal is just a trustworthy machine, skip to the wipe. If you want to see what was there, these read-only checks find the common footholds.

Get in without running the malware: Safe Mode

Safe Mode deliberately doesn’t load third-party startup items, so the malware stays dormant while you work. Apple Silicon: shut down → hold the power button until “Loading startup options” → pick your disk → hold Shift → “Continue in Safe Mode.” Intel: power on and immediately hold Shift. Stay offline; read output off the screen rather than copy-pasting.

The high-yield checks

Every registered background item, plus what auto-starts

sudo sfltool dumpbtm                 # full background-items list (macOS 13+)
launchctl list | grep -i update      # look for odd, Apple-looking labels

Is a suspicious process running from a cache folder?

ps aux | grep -i "Library/Caches" | grep -v grep

Other footholds root could have planted

sudo profiles list -all              # config profiles (should be none on a personal Mac)
cat /etc/hosts                       # unexpected domain redirects
sudo crontab -l; cat /etc/crontab    # scheduled jobs
sudo systemsetup -getremotelogin     # remote login should be Off
dscl . list /Users | grep -v '^_'    # unexpected user accounts

Persistence on macOS most often hides as a .plist in ~/Library/LaunchAgents/, /Library/LaunchAgents/, or /Library/LaunchDaemons/. Finding one confirms the infection; finding none does not prove the Mac is clean. Leave SIP (System Integrity Protection) on — it’s part of what limited the damage. For the full responder walkthrough, see the technical page.

Recommended — scan & harden

A second-opinion scanner for macOS

macOS doesn’t include a malware scanner. Before and after the wipe, a reputable on-demand scanner is a useful second opinion on your rescue disk and rebuilt system.

Malwarebytes for Mac Fast on-demand scanner; the tool most often recommended for cleanup. Visit Intego Mac-specialist antivirus with real-time protection. Visit

For ongoing visibility into what your Mac connects to, Little Snitch (paid) and LuLu (free) are excellent outbound firewalls.

Step 3

Erase and reinstall macOS

The clean ending. Once your files are rescued, wipe the machine. There are two routes depending on your Mac.

Modern Macs — “Erase All Content and Settings”

On Apple Silicon or T2 Macs: System Settings → General → Transfer or Reset → Erase All Content and Settings. This wipes your data and apps and returns macOS to a factory state in one step, the same as a new Mac.

Fastest and cleanest. Sign out of your Apple Account first if prompted, and make sure your files are already rescued — this is irreversible.

Older Macs — erase the disk in Recovery, then reinstall

Boot into Recovery (Apple Silicon: hold power at startup; Intel: hold Cmd-R). In Disk Utility, erase the internal disk (APFS). Quit Disk Utility, then choose Reinstall macOS and follow the prompts.

Achieves the same factory-clean result on Macs without the one-click option.

Don’t restore from a backup made after the infection

Restoring a full Time Machine or system backup taken after you got hit can bring the malware right back. Rebuild fresh, then copy in individual data files from your rescue disk — not a whole-system restore.

Step 4

On the clean machine

Set a brand-new Mac password — the old one was entered into the malware and is compromised.
Reinstall apps from official sources — don’t reuse installers from the rescue disk.
Re-sync cloud storage rather than copying the old local folders.
Scan the rescue disk before using it — with a reputable macOS scanner, or upload anything you’re unsure about to VirusTotal. Re-run the find ... -perm +111 check against the rescue folder.
Copy data back selectively, file by file — never a whole-disk drag.
Reissue keys & confirm password changes — finish any credential rotation from the recovery protocol you hadn’t completed.

That’s the machine closed out. Combined with the credential rotation and crypto migration, the incident is contained: stolen data is rendered useless by the new passwords, and the device is clean.