User profile for user: Mdworker
Mdworker Author
User level: Level 1
4 points

Mdworker shared in launch’s.log

thomas_r.


can you please contact me via email. I have been going through an ongoing cyber attack since November 2020. Got a letter from the FBI stating they arrested a malicious cyber actor who was in possession of the Apple ID I had back in 2020 of November. Since that date I have been to the Apple Store to wipe my computer and reinstall Big Sur, Ventura and all systems back to 2017. Traded in that Mac for a new MacBook Pro with M1 chip silicon and am still loosing Apple ids left and right from hackers getting into my iPhone and MacBook.

I would love to learn more about the targeted cyberattacks you mentioned when seeing the mdworker which is constantly in my launch’s.log.

please feel free to send me a message I will try to figure out how to find your reply.

MacBook Pro (2021)

Posted on Aug 24, 2023 3:54 PM

Reply
9 replies
User profile for user: John Galt
John Galt
User level: Level 10
136,552 points

Aug 24, 2023 6:22 PM in response to Mdworker

If I were you I would seriously consider the validity of that alleged FBI document. It has all the marks of a phishing scam — the same kind that may have caused you to lose control of your Apple IDs.


If you think your Apple ID has been compromised - Apple Support is applicable in your case. Follow those instructions with care.


mdworker is a legitimate macOS process present on all Macs.


I find it hard to believe the FBI could possibly have the time or manpower to investigate all the instances of Apple ID theft. It is extremely common and occurs around the world, arising from places well beyond the reach of any US law enforcement agency.


We really can't DM each other on this site.


Best wishes.

Reply
User profile for user: Mdworker
Mdworker Author
User level: Level 1
4 points

Aug 25, 2023 6:53 AM in response to John Galt

The FBI letter did not arrive until this Past April 15th of 2023. The first thing I thought was that it was fake. I called the local FBI office and gave them the case number. The checked it out and it was a legitimate case.

Also it came with a login and pin which I had to enter on the FBI’s website.

I have two agents I am working with in the New Jersey office but it’s a big case the guy had thousands of Apple ids and the contact information on each person including social security numbers.

Anyway I have been working with Apple and I sent the entire installer log to her yesterday after I noticed I misspelled the name I had posted as I looked closer. She emailed me at 5:33 asking me to call her as soon as possible. And I am about to give her a call this morning to get an update.

Anyway I went through changing my cell numbers 4 times in one year the last time I changed my number. My phone was sim jacked a second time while I was still inside the Verizon Wireless Office.

It took Verizon wireless 5 hours to get my number back and the technician who was female told me that whoever did this had access to some very expensive and highly sophisticated equipment and that they had a definite agenda.

Reply
User profile for user: John Galt
John Galt
User level: Level 10
136,552 points

Aug 25, 2023 7:30 AM in response to Mdworker

Thousands of stolen Apple IDs... yes I suppose that's enough to get their attention.


In any event finding the mdworker process in a Mac's logs or Activity Monitor is completely ok. If you or someone changed your name to "Mdworker" it will obviously lead to confusion. It would have nothing to do with finding that process on your Mac so that alone is no reason for concern. In fact its absence would be a concern.

Reply
User profile for user: Mdworker
Mdworker Author
User level: Level 1
4 points

Aug 25, 2023 8:12 AM in response to John Galt

2023-08-20 09:54:27-07 Lances-MacBook-Pro SoftwareUpdateNotificationManager[1441]: SUOSUShimController: Start MSU scan

2023-08-20 09:54:27-07 Lances-MacBook-Pro softwareupdated[385]: SUOSUServiceDaemon: Adding client: SoftwareUpdateNotificationManager (type = sunm, pid = 1441, uid = 501, path = /System/Library/PrivateFrameworks/SoftwareUpdate.framework/Versions/A/Resources/SoftwareUpdateNotificationManager.app/Contents/MacOS/SoftwareUpdateNotificationManager)

2023-08-20 09:54:27-07 Lances-MacBook-Pro softwareupdated[385]: SUOSUMobileSoftwareUpdateController: Updating additionalUpdateMetricEventFields: {

autoUpdate = false;

buddy = false;

commandLine = false;

installTonight = false;

mdm = false;

notification = true;

settings = false;

}

2023-08-20 09:54:27-07 Lances-MacBook-Pro softwareupdated[385]: SUOSUMobileSoftwareUpdateController: Set bridgeOS catalog override to catalogURL default

2023-08-20 09:54:27-07 Lances-MacBook-Pro softwareupdated[385]: SUOSUMobileSoftwareUpdateController: Scan finished

2023-08-20 09:54:27-07 Lances-MacBook-Pro softwareupdated[385]: majorPrimaryDescriptor: (null)

2023-08-20 09:54:27-07 Lances-MacBook-Pro softwareupdated[385]: majorSecondaryDescriptor: (null)

2023-08-20 09:54:27-07 Lances-MacBook-Pro softwareupdated[385]: minorPrimaryDescriptor: (null)

2023-08-20 09:54:27-07 Lances-MacBook-Pro softwareupdated[385]: minorSecondaryDescriptor: (null)

2023-08-20 09:54:27-07 Lances-MacBook-Pro softwareupdated[385]: SUOSUServiceDaemon: Setting availableMobileSoftwareUpdates = (

)

2023-08-20 09:54:27-07 Lances-MacBook-Pro SoftwareUpdateNotificationManager[1441]: AssertionMgr: Take com.apple.softwareupdate.NotifyAgentAssertion-BadgingCountChanged assertion with type BackgroundTask for pid 1441, id 0x8246

2023-08-20 09:54:27-07 Lances-MacBook-Pro SoftwareUpdateNotificationManager[1441]: SUOSUShimController: Done with MSU scan

2023-08-20 09:54:27-07 Lances-MacBook-Pro SoftwareUpdateNotificationManager[1441]: SUOSUShimController: Start legacy scan

2023-08-20 09:54:27-07 Lances-MacBook-Pro softwareupdated[385]: SUScan: Scan for client pid 385 (/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated)

2023-08-20 09:54:27-07 Lances-MacBook-Pro softwareupdated[385]: SUOSUServiceDaemon: availableMobileSoftwareUpdates = (

)

Reply
User profile for user: Mdworker
Mdworker Author
User level: Level 1
4 points

Aug 25, 2023 8:16 AM in response to John Galt

Okay take a look at the correct spelling. As of last night someone was able to get into my computer and change nearly everything but I made a backup on an external hard drive before shutting it down of all of my file’s including all of the logs I copied yesterday as well as a copy of all the changes made overnight. The MacBook was not connected to Wi-Fi by hardware nor was Wi-Fi on nor Bluetooth was on. I was able to get the information I sent you from a file I pulled off of the email I sent to Apple. So I would not have to connect my hard drive. It’s going into my safe.

Do you have another opinion about what ai sent?

Reply
User profile for user: ku4hx
ku4hx
User level: Level 7
21,374 points

Aug 25, 2023 8:28 AM in response to Mdworker

You're going to have to render completely useless any and all references to you of any kind: phone numbers, addresses, email addresses, passwords, Apple ID and everything else that identifies you in any way. It won't be easy.


https://search.brave.com/search?q=help+in+removing+my+presence+on+tehj+internet&source=web

https://search.brave.com/search?q=help+creating+a+new+identy&source=web


Assuming your above statements are true, your only remorse is to stop being the person you were. Frankly I don't really even know that can be done short of some sort of witness protection program.


Reply
User profile for user: John Galt
John Galt
User level: Level 10
136,552 points

Aug 25, 2023 9:15 AM in response to Mdworker

Do you have another opinion about what ai sent?


If you are being advised by Apple, law enforcement, or your legal counsel, then continue along those lines of communication.


Please do not forward or upload that information to this publicly available website. None of us on this website can authoritatively comment regarding the legitimacy of whatever information Apple may have sent you; in fact its Terms of Use explicitly indemnifies Apple from anything its participants may have to say about it.


The log entries you posted do not indicate anything amiss. They illustrate normal and mundane operation, so no action on your part is justified by them alone. However, by having posted something as innocuous as your Mac's name lends further credence to my suspicion that you may have been less than circumspect regarding information that should be considered confidential. Whereas a Mac's name itself is of little value to a "hacker" or someone with nefarious intent, every little piece of information that someone can draw from you helps to assemble a "digital identity" that can subsequently used for extortion or fraud or any number of lesser inconveniences.


What you posted does not even rise to the very low bar of asking our site Hosts to redact what you posted, but please consider being more cautious with anything that could possibly be construed as personal information. Effective defenses against malware and other threats - Apple Community describes some of those principles. I encourage you to review it.

Reply

Mdworker shared in launch’s.log

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up