On the DNS Trail of the Rise of macOS Backdoors

Researchers tracked DNS and WHOIS artifacts linking macOS backdoors RustDoor and KandyKorn to additional malicious infrastructure, uncovering 109 potentially connected web properties including domains, IPs, and email-associated records. Analysis found impersonation strings (e.g., maconlineoffice[.]com, serviceicloud[.]com), phishing-associated IPs, and many iCloud-related domains suggestive of targeted lures. #RustDoor #KandyKorn #icloud

Keypoints

Initial IoCs: Bitdefender and SentinelOne published 11 macOS backdoor IoCs (seven for RustDoor: five domains, two IPs; four IPs for KandyKorn).
WHOIS and historical WHOIS searches for RustDoor IoCs yielded 10 historical email addresses and five email-connected domains (three referencing Find My-related strings).
DNS lookups for RustDoor IoCs produced four additional IPs; one of those (85[.]187[.]128[.]40) was tied to phishing via threat intel lookup.
Reverse IP lookups for KandyKorn IoCs returned 28 IP-connected domains, all flagged as malware hosts by threat intelligence.
String-based discovery using domain tokens found 72 string-connected domains and 785 newly created iCloud-containing domains since 2024, eight of which were associated with phishing or other threats.
Overall expansion from 11 starting IoCs uncovered 109 potentially related artifacts (email-connected domains, additional IPs, IP-connected and string-connected domains), with 29 confirmed malicious or phishing-associated.

MITRE Techniques

[T1583.001] Acquire Infrastructure: Domain – Attackers registered and used multiple domains to host or distribute backdoors; ‘two domain IoCs contained macOS- and iCloud-related text strings—maconlineoffice[.]com and serviceicloud[.]com’
[T1592] Search Open Websites/Domains – Researchers used WHOIS and Reverse WHOIS to expand from known domains to related registrations and emails; ‘we performed an expansion analysis beginning with WHOIS History API searches for the five domain names…discovery of 10 email addresses’
[T1596] Search Open Technical Databases – Threat intelligence and IP geolocation lookups were used to classify hosts and reveal phishing associations; ‘Threat Intelligence Lookup revealed that one of the additional IP addresses—85[.]187[.]128[.]40—was associated with phishing’
[T1566] Phishing – Infrastructure was used or associated with phishing activity to lure macOS users into installing malicious payloads; ‘Threat Intelligence API also revealed that eight of the icloud-containing domains were associated with phishing’
[T1036] Masquerading – Domains contained legitimate-service strings to impersonate macOS/Apple services and Microsoft Office for Mac as social-engineering lures; ‘maconlineoffice[.]com and serviceicloud[.]com…could indicate attempts to legitimize their campaign’

Indicators of Compromise

[Domain] RustDoor and related discovery – maconlineoffice[.]com, serviceicloud[.]com, and 72 additional string-connected domains
[Domain] Email-connected domains (from WHOIS history) – findmy-inc[.]us, findmy-lcloud[.]us, findmyapp-location[.]us, and 2 more email-associated domains
[IP address] RustDoor/KandyKorn hosts and additions – 85[.]187[.]128[.]40 (phishing-associated), plus other IoC IPs and 4 additional IPs found via DNS lookups
[IP-connected domains] KandyKorn reverse-IP expansion – 28 IP-connected domains (all flagged as malware hosts)
[Other artifacts] Large set of iCloud-related registrations – 785 icloud-containing domains created since 2024, eight of which were linked to phishing or generic threats

Researchers began with 11 published IoCs and focused technical enumeration on DNS, WHOIS, and threat-intel sources to map likely associated infrastructure. Steps included bulk WHOIS queries and WHOIS history lookups to extract registrant emails and registrars, Reverse WHOIS searches to find email-connected domains, DNS resolution to reveal additional IP addresses, IP geolocation and ISP attribution to contextualize hosting, reverse IP lookups to gather IP-connected domains, and Domains & Subdomains string searches (using tokens like “icloud”) to discover string-connected domains. Threat intelligence queries were used at multiple points to flag malicious hosts and phishing associations (e.g., 85[.]187[.]128[.]40 marked for phishing).

The iterative expansion workflow produced 109 candidate artifacts: five email-connected domains, four additional IP addresses, 28 IP-connected domains (all flagged as malware for the KandyKorn cluster), and 72 string-connected domains for RustDoor, with 29 properties confirmed malicious or phishing-related. The analysis highlights common operational patterns—use of impersonation strings to social-engineer macOS users, registrar diversity, and reuse of hosting/IP resources—that can be triaged via combined WHOIS/DNS/reverse-IP and threat-intel correlation to prioritize takedown or further investigation.

For replication: start from known IoCs, run WHOIS/WHOIS History to extract emails and registrar metadata, perform Reverse WHOIS on public registrant emails to find related domains, resolve domains to discover associated IPs, do reverse-IP to enumerate co-hosted domains, run Domains & Subdomains Discovery with relevant token strings, and enrich all findings with IP geolocation and threat-intel feeds to identify phishing/malware classifications before tagging and actioning suspicious entries.