A security researcher has unveiled new discoveries about Fruitfly, a dangerous macOS malware that has been shrouded in mystery since its discovery earlier this year.

Patrick Wardle, the chief security researcher at security firm ‎Synack and a former NSA hacker, took interest in Fruitfly. To learn more about the malware that has befuddled security experts since its discovery, Wardle—who is scheduled to speak about the malware at the Black Hat conference in Las Vegas—decided to interact with the malware directly.

Read: Mac Malware: New Ransomware Targets Macs, Allows Attackers To Pay To Use

According to ZDNet, Wardle built a command and control server to interact with a sample of the Fruitfly malware. Doing so allowed the researcher to remotely communicate with the malicious software the same way an attacker would.

Through his command and control server, Wardle was able to uncover the capabilities of Fruitfly by making requests of the malware and seeing how it would respond, giving him unprecedented access to the malware.

Once he was able to communicate with Fruitfly, Wardle saw the malware could take complete control of an infected device running macOS. Fruitfly allowed Wardle to take screenshots of anything on the Mac screen, turn on the webcam to record, hijack inputs from the keyboard and mouse and modify files on the machine.

Fruitfly operates in stealth, running undetected in the background of an infected machine. An attacker can even remotely kill the malicious program’s process entirely to avoid the possibility of being detected by a suspicious victim. The malware even sends an alert when the user is active so the attacker doesn’t accidentally interrupt their activity and alert them to the malicious behavior.

Read: Mac Malware: Snake Attack Used For Targeted Espionage Discovered for MacOS

Wardle also discovered in his exploration of the malware that it is still present and active on infected computers. According to his analysis, 90 percent of the victims were based in the United States and there appeared to be no link between them, suggesting the victims were unlikely to be targeted.

The origins of the attack are still unknown, but Wardle theorized Firefly is unlikely to be an attack operated by a nation state actor. Instead, he believed the malware was the work of a single hacker using the malicious tool to spy on people.

The delivery method of Fruitfly isn’t entirely clear yet either, though it is believed the malware can be spread via email attachment, likely disguised as a genuine file like a PDF or Microsoft Office document.

Structure Security
Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco. Newsweek Media Group

Fruitfly has confused security researchers since its discovery earlier this year as much of the malware’s inner workings have been obfuscated by antiquated code that dates back five years or more. Despite this, the malware works on modern versions of macOS.

It wouldn’t be unheard of for malware to use old, seemingly outdated exploits to attack its victims. Since many people don’t download security patches, it can be easy for old attacks to continue to work. Such was the case with CopyCat, an Android malware that infected 14 million devices using vulnerabilities that were patched for years.