In this report, we share our latest crimeware findings: FakeSG malware distribution campaign delivering NetSupport RAT, new Conti-like Akira ransomware and AMOS stealer for macOS.
Tag: MACOS
Infoblox’s DNS Early Detection Program identifies potentially malicious domains at the earliest opportunity, enabling blocking well before OSINT or many threat intel feeds. The Lazarus Group’s KandyKorn campaign illustrates how fast DNS-based detection can dis…
A new macOS Trojan-Proxy is riding on cracked versions of legitimate software; it relies on DNS-over-HTTPS to obtain a C&C (command and control) address.
BlueNoroff has been attacking macOS users with a new loader that delivers unknown malware to the system.
North Korean-aligned threat actors targeting macOS staged a busy 2023, with RustBucket and KandyKorn as the two major campaigns examined. The analysis shows actors mixing components across operations—using SwiftLoader droppers to pivot to KandyKorn payloads—an…
FBI dismantled the IPStorm botnet infrastructure with a guilty plea linked to its operator, while Intezer analyzed cross‑platform IPStorm variants expanding from Windows to Linux, macOS, and Android. The research highlights IPStorm’s use of IPFS for C2, Linux-…
Jamf Threat Labs identified a new macOS malware variant attributed to the BlueNoroff APT group, linked to the Rustbucket campaign, embedded in a Mach-O universal binary labeled ProcessRequest. The malware communicates with swissborg.blog (resolved to 104.168.2…
Jamf has identified ObjCShellz, a new macOS malware linked to North Korean BlueNoroff/Lazarus actors and likely part of the RustBucket Campaign, targeting crypto exchanges. The sample shows a simple remote-shell capability with a hardcoded C2 address, and rese…
Elastic Security Labs details a DPRK-linked intrusion targeting blockchain engineers via a Discord DM lure, employing a multi-stage Python-based chain and memory-resident payloads (SUGARLOADER, HLOADER, KANDYKORN) with RC4-encrypted C2 communications. The oper…
In this report Kaspersky shares insights into the validation components used in Operation Triangulation, TriangleDB implant post-compromise activity, as well as details of some additional modules.
This article analyzes a ZShlayer variant of the macOS Shlayer malware that shifts from Bash to Zsh and uses heavy obfuscation and encoded payloads to evade static detections and Apple Notarization checks. It explains the decoding workflow, how the final payloa…
K7 Labs found a fake cracked-software site (crack(-)mac(.)com) that distributes Pirrit adware to macOS users by serving malicious DMGs and redirecting downloads through Vexfile and other hosts. The installer uses a shell stub that kills Terminal, extracts a pa…
MetaStealer is a new macOS infostealer family that uses obfuscated Go binaries delivered in disk image droppers (.dmg) aimed at business users, with some variants undetected by Apple XProtect. The malware exfiltrates keychain data, saved passwords, and files, …
A new malvertising campaign targets Mac users with an OSX version of Atomic Stealer (AMOS), delivered through deceptive ads and a phishing page. The payload is an ad-hoc signed DMG that bypasses GateKeeper and exfiltrates stolen data to a criminal back end. #A…
IronNet reports a rise in MacOS malware detections in education networks, driven by AdLoad and UpdateAgent on BYOD devices returning to campus. The findings highlight BYOD risk, multi-stage C2 activity, and the need for strict network segmentation and BYOD con…