Bitdefender documented early fragments of a larger macOS and cross-platform toolkit: Python backdoors named shared.dat and sh.py plus a macOS Swift binary called xcc. shared.dat uses ROT13-obfuscated paths and a GITHUB_REQ/GITHUB_RES packet format to collect host, network, and process information, execute commands, and download OS-specific payloads such as an AppleAccount archive on macOS or compiled code on Linux. sh.py stores configuration in ~/Public/Safari/sar.dat, supports command execution, file upload and download, deletion, configuration changes, and Python code execution, and can rotate between configured C2 URLs. The xcc component targets macOS 12+, checks privacy and user-state permissions before likely spyware use, and indicates the observed files were part of a broader multi-stage intrusion set.