In late Summer 2020, leveraging the threat hunting methodology developed at Verizon Media, the Paranoids FIRE team identified a novel piece of macOS malware that would later be dubbed Silver Sparrow. In this session we’ll talk about a key TTP leveraged by the malware authors. We’ll show how it was found, and how it was used to create new detections to monitor Silver Sparrow activity. Finally, we’ll show how based on telemetry collected by the Paranoids, the infection count estimates originally published by news organizations were inaccurate: roughly 3,000 infected machines instead of about 30,000.