Mosyle has discovered a new Mac malware strain called 'JSCoreRunner' that evades detection by masquerading as a PDF conversion tool. The malware spreads through a malicious website, fileripple.com, and operates in two stages. The first stage, FileRipple.pkg, appears as a legitimate PDF tool while running malicious code in the background. The second stage, Safari14.1.2MojaveAuto.pkg, bypasses Gatekeeper's protections. Once installed, JSCoreRunner targets Chrome browsers, altering search engine settings to redirect users to fraudulent providers. This exposes users to keylogging, phishing, and potential data theft. The malware's sophisticated approach highlights the need for vigilance and proactive security measures for Mac administrators.