An Infostealer's Brewin': Cuckoo & AtomicStealer Get Creative
Recent infostealer malware campaign utilizing fake Homebrew websites to deliver Cuckoo and AtomicStealer.
Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK
We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices
Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK
We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices
Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK
We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices
New RustDoor macOS malware impersonates Visual Studio update
A new Rust-based macOS malware spreading as a Visual Studio update to provide backdoor access to compromised systems uses infrastructure linked to the infamous ALPHV/BlackCat ransomware gang.
A backdoor with a cryptowallet stealer inside cracked macOS software
We review a new macOS backdoor that piggybacks on cracked software to replace Bitcoin and Exodus wallets with malware.
Jamf Threat Labs Discovers Pirated macOS Apps Similar to ZuRu Malware
Jamf Threat Labs discovers new pirated macOS applications that establish communication with attacker infrastructure, allowing the victim's computer to be controlled by the attacker.
MacOS info-stealers quickly evolve to evade XProtect detection
Multiple information stealers for the macOS platform have demonstrated the capability to evade detection even when security companies follow and report about new variants frequently.
Analyzing DPRK's SpectralBlur
In both his twitter (err, X) thread and in a subsequent posting he provided a comprehensive background and triage of the malware dubbed SpectralBlur. In terms of its capabilities he noted: SpectralBlur is a moderately capable backdoor, that can upload/download files, run a shell, update its configuration, delete files, hibernate or sleep, based on commands issued from the C2. -Greg He also pointed out similarities to/overlaps with the DPRK malware known as KandyKorn (that we covered in our “Mac Malware of 2024” report), while also pointing out there was differences, leading him to conclude: We can see some similarities ... to the KandyKorn. But these feel like families developed by different folks with the same sort of requirements. -Greg
Objective-See's Blog
A comprehensive analysis of the year's new malware
Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK
We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices
Analysis of a new macOS Trojan-Proxy
A new macOS Trojan-Proxy is riding on cracked versions of legitimate software; it relies on DNS-over-HTTPS to obtain a C&C (command and control) address. Illegally distributed software historically has served as a way to sneak malware onto victims’ devices. Oftentimes, users are not willing to pay for software tools they need, so they go searching the Web for a “free lunch”. They are an excellent target for cybercriminals who realize that an individual looking for a cracked app will be willing to download an installer from a questionable website and disable security on their machine, and so they will be fairly easy to trick into installing malware as well.
N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection
The North Korean threat actors behind macOS malware strains such as RustBucket and KANDYKORN have been observed "mixing and matching" different elements of the two disparate attack chains, leveraging RustBucket droppers to deliver KANDYKORN.
Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK
We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices
Jamf Threat Labs Discovers Malware from BlueNoroff
Newly discovered later-stage malware from BlueNoroff APT group targets macOS with characteristics similar to their RustBucket campaign.
Elastic catches DPRK passing out KANDYKORN — Elastic Security Labs
Elastic Security Labs exposes an attempt by the DPRK to infect blockchain engineers with novel macOS malware.
Triangulation: validators, post-compromise activity and modules | Securelist
In this report Kaspersky shares insights into the validation components used in Operation Triangulation, TriangleDB implant post-compromise activity, as well as details of some additional modules.
ShadowVault is the latest Mac data-stealer malware, reportedly
ShadowVault data stealer Mac malware made headlines in the Apple press this week. Here is what we know about it so far.
Fragments of Cross-Platform Backdoor Hint at Larger Mac OS Attack
During routine detection maintenance, our Mac researchers stumbled upon a small set of files with backdoor capabilities that seem to form part of a more complex malware toolkit. The following analysis is incomplete, as we are trying to identify the puzzle pieces that are still missing.
Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK
We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices
Snake: Coming soon in Mac OS X flavour – Fox-IT International blog
Summary Snake, also known as Turla, Uroburos and Agent.BTZ, is a relatively complex malware framework used for targeted attacks. Over the past year Fox-IT has been involved in multiple incident response cases where the Snake framework was used to steal sensitive information. Targets include government institutions, military and large corporates. Researchers who have previously analyzed…
Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram
A macOS infostealer being sold on Telegram, Atomic Stealer has a second variant that appears primed to target users directly on YouTube.
'RustBucket' malware targets macOS
Learn how APT group, BlueNoroff, targets Apple with malware variant to compromise macOS devices.
Mac Malware MacStealer Spreads as Fake P2E Apps
We detected Mac malware MacStealer spreading via websites, social media, and messaging platforms Twitter, Discord, and Telegram. Cybercriminals lure victims to download it by plagiarizing legitimate play-to-earn (P2E) apps’ images and offering jobs as beta testers.
Hard-to-spot Mac crypto-mining threat, XMRig, hits Pirate Bay
Jamf Threat Labs has spotted a family of Mac malware, XMRig, that spreads through pirated versions of Final Cut Pro, Photoshop and Logic Pro X.
Beware of macOS cryptojacking malware.
You may have heard about the cryptojacking malware on macOS. Read about a new one spotted by Jamf Threat Labs.
Can you rely on macOS Ventura for malware protection?
Samples of four malicious software downloaded and run on macOS 13.1. Could it detect and block them effectively? Or do you need 3rd party protection?
7 Ways Threat Actors Deliver macOS Malware in the Enterprise
Stay ahead of the game with our review on macOS malware threats. Learn about the top techniques used by threat actors to deliver malware and how to build more resilient defenses.
How do you know when macOS detects and remediates malware?
macOS may alert you when you’re trying to open or run a file, with an alert informing you that malware was detected. But what about in scans?
The Mac Malware of 2022 👾
A comprehensive analysis of the year's new malware