Anyone still enduring EFI Rootkit madness?

FWIW, macOS Catalina is no longer supported, and a iMac14,2 - Late 2013 iMac is considered obsolete…

Obtaining service for your Apple product after an expired warranty - Apple Support

It might be time to think about a replacement.

Howdy

No I can’t delete those partitions either. I had some limited success using disk utility “Open image” and renaming various file names whilst in the open dialogue file browser window which broke some of the links. I have over 500 processes running in recovery and they just respawn immediately. Trustd and launchd and the kernel etc wont stop no mater what.. Plus terminal has been messed with so commands that should work dont.

We (think) we got rid of it once using a sparse image but invariably once online it comes back via wifi or iPhone hot spot or Bluetooth. It’s always merging my iCloud accounts and changing my avatars. Locking me out of after one try even though it’s telling me it’s my third. My 2 factor text messages arrive from bogus phone numbers, they arrive irregularly and are intercepted. Emails addressed to me directly go to my trash so I miss stuff regularly for example the Australian federal police inviting me to be a witness for the mining case.

linux kinda worked but the partition map won’t be erased completely l. I removed the labels and flags but as soon as the GPT and APFS is selected they are still there hiding!

I found a folder in my EFI called CAFEBEEF. Apple haven’t told me if that’s supposed to be there. I also found ramdisks called sunburst and golden gate.

I also have their server outgoing ports that I got before they hid themselves and purged the logs . It’s sophisticated.

some info that may help you:

when you install the OS and it does its restart for the final installation part, I did a hard shutdown then command R and went to recovery and some new stuff was mounted that seems to get purged once it runs for the first time. It mounts 9 volumes with some folders the most interesting one is called restore. I think it comes down via the preboot server. Perhaps this temporary window may hold the key to removing it.

the latest Sonoma update helped a lot but the virus is back today. I saw it enter via an opendirectory pid in my recovery/installation log. I got excited when I saw the WebKit bundles that had been deleted/repaired.

But of course that’s only part of the beast and they indeed have a response for absolutely everything. I’ve had it since early 2020. Been through a lot of devices in that time.

I would love to give up. But I don’t have any choice. I can’t afford forensics /monitored security.

it gets me down but u can’t live in perpetual depression fear and frustration for ever so invariably you become desensitised to it all. Sadly.

it just sucks up so much of my time. It’s incredible. Thousands and thousands of hours.

do u think u got it via the net? I’m not sure what to think or who to trust these days! Seems pretty severe for a remote intrusion. It’s good to talk to you.

It feels like no one understands what we are going through..

I’m sure there’s lots of typos. Apologies as im typing on my phone (MacBook needs to be restored again)

aleo Some of those folders that are mounted (mobile activation and the boot stuff logs caches and efires can be cleared via random disk then you can easeDisk then eject. But not all.

you would think it would be possible to force overwrite it but not seeming to be possible. Even Apple returns the devices to me with the problems stil present.

crazy times. Seems to be a problem that’s growing quickly. A lot more evidence of people having it now than there was in 2020.

I am mostly worried because I can’t safely buy or hold digital currency with this in my devices. So what happens if/when they change over. What willl we do?

Ive had it for years. My plan is the same as yours. I guess a solar kill shot would fix the problem. The Carrington patch!

How did you go with the move? I would love to hear if moving helped.