{
	"id": "70ff9db3-8bc3-4b20-8033-69dc7abaa7ea",
	"created_at": "2026-04-06T00:08:48.494445Z",
	"updated_at": "2026-04-10T03:21:40.012378Z",
	"deleted_at": null,
	"sha1_hash": "1d0cfd730f2f9981d776252d0a324d687b56f5bc",
	"title": "Convuster: macOS adware now in Rust",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 722259,
	"plain_text": "Convuster: macOS adware now in Rust\r\nBy Ilya Mogilin\r\nPublished: 2021-03-18 · Archived: 2026-04-05 15:31:25 UTC\r\nIntroduction\r\nTraditionally, most malicious objects detected on the macOS platform are adware: besides the already familiar\r\nShlayer family, the TOP 10 includes Bnodlero, Cimpli, Adload and Pirrit adware. As a rule, most tend to be\r\nwritten in C, Objective-C or Swift. Recently, however, cybercriminals have been paying increased attention to\r\nnew programming languages, seemingly in the hope that such code will be more opaque to virus analysts who\r\nhave little or no experience with the newer languages. We have already seen quite a few samples written in Go,\r\nand recently cybercriminals turned their attention to Rust as well.\r\nThe first to write about suspicious files in this programming language was a Twitter user, @gorelics:\r\nIn the screenshot the tweet shows, one can see that several samples of suspicious code are run by configuration\r\nPLIST files through the LaunchAgents/LaunchDaemons mechanism. Alongside the suspicious names of the\r\nPLIST files, this is the first wakeup call that the program is dangerous, given the low popularity of Rust-based\r\nexecutables.\r\nWe examined these samples for malicious behavior. The analysis showed these executables to be a new adware\r\nprogram, that has subsequently been called Convuster.\r\nTechnical details\r\nSample in Rust\r\nIt can be deduced that the analyzed sample was written in Rust from the frequent use of the language’s standard\r\nlibrary, as well as several code lines containing paths to files with the .rs extension, which is the standard Rust\r\nsource file extension.\r\nRust artifacts in the sample\r\nhttps://securelist.com/convuster-macos-adware-in-rust/101258/\r\nPage 1 of 6\n\nAt startup, the executable checks the configuration PLIST files ~/Library/LaunchAgents/com.ist.up.plist and\r\n/Library/LaunchDaemons/com.ist.up.plist for keys needed to run the sample, such as RunAtLoad, StartInterval\r\nand Version. We were not able to retrieve these files, but presumably they are used to run the sample under\r\ninvestigation when the user logs in to the system.\r\nAfter these checks, the program obtains the device ID, as well as the system version and bitness, and forwards the\r\ngathered data to the following server: hxxps://post.convstats[.]com/hb/. In response, Convuster receives a JSON\r\nfile and sends a request to the host specified in this file. The response to this request is a Bash script that gets\r\nexecuted by the Bash shell and then removed from the system.\r\nRequest generation\r\nAt the time of analysis, the server was not responding to requests. However, after examining information about the\r\nsuspicious convstats[.]com domain, we detected the update.convstats[.]com and trk.convstats[.]com\r\nsubdomains (in addition to the already known post.convstats[.]com).\r\nSample in Swift\r\nIn the update.convstats[.]com subdomain, at the address hxxps://update.convstats[.]com/Player.dmg, we found\r\na DMG disk image containing another Convuster executable, this time in the Swift programming language.\r\nThe payload of the executable was encrypted:\r\nhttps://securelist.com/convuster-macos-adware-in-rust/101258/\r\nPage 2 of 6\n\nXOR encryption\r\nHaving decrypted the data, Convuster runs the code obtained, first of all checking that the DMG image was\r\ndownloaded specifically from the address hxxps://update.convstats[.]com/Player.dmg with either the ?\r\n_=1390081 or \u0026_=1390081 parameter. It does so by accessing the quarantine database of the macOS Gatekeeper\r\nsecurity feature using the following query:\r\nselect LSQuarantineAgentBundleIdentifier, LSQuarantineDataURLString from LSQuarantineEvent order by\r\nLSQuarantineTimeStamp desc limit 3\r\nTypical Gatekeeper database content\r\nUsually, this macOS database serves as a log for all files downloaded from untrusted sources. However,\r\nConvuster’s creators use it to protect their handiwork from being analyzed. If it was not downloaded from an\r\n“official” server, but rather got into the system some other way, it may mean that the program is in a test or virtual\r\nenvironment, that is, under investigation by virus analysts.\r\nIf the file source check is successful, the user is shown a window prompting to install Flash Player. Otherwise, the\r\nprogram prompts to continue the installation later, and then exits.\r\nhttps://securelist.com/convuster-macos-adware-in-rust/101258/\r\nPage 3 of 6\n\nThe installer mimics a Flash Player update\r\nRegardless of whether the user agrees to the installation or attempts to close the window, Convuster sends a\r\nrequest to hxxps://post.convstats[.]com/dis/ to download the installation script, and then runs it in the Bash shell.\r\nRunning the script in the Bash shell\r\nDistribution\r\nhttps://securelist.com/convuster-macos-adware-in-rust/101258/\r\nPage 4 of 6\n\nConvuster is run through LaunchAgents, but the program does not try to add itself to startup independently. This\r\nmeans that the file in question was most likely neither downloaded nor installed directly by the user. In our view,\r\nConvuster could have been installed by some other adware.\r\nAt the time of the study, we were aware of the following domain names performing redirects to the\r\nupdate.convstats[.]com subdomain:\r\nstoreoverlyadvancedapplication[.]best\r\nstreamgreatlyadvancedprogram[.]best\r\nstreamstrongcompletelyprogram[.]best\r\nsyncextremelysophisticatedsoftware[.]icu\r\nstreamquickcompletelyprogram[.]best\r\ngetnewestextremelyapp[.]best\r\nlaunchfreeextremelyfreeware[.]best\r\nloadsophisticated-thecompletelyfile[.]best\r\nBesides, forum users complain about other domains prompting to install a fake Flash Player update:\r\nUser complaints about advertising redirects\r\nConclusion\r\nBased on the behavior of the Convuster samples in Rust and Swift, we classify this program as adware. Despite\r\ntheir supposed exoticism, these languages lack nothing in terms of functionality from an adware developer’s point\r\nof view: Rust, for instance, has the tools not only for authoring adware, but for carrying out more sophisticated\r\nattacks.\r\nBesides the choice of programming language, it is noteworthy that cybercriminals have learned to use built-in\r\nmacOS tools and technologies, such as Gatekeeper, for their own purposes (for example, to verify the source of a\r\nfile). Although this family is no longer active, it is a clear illustration of how attackers are constantly honing their\r\nthreats to evade analysis and deliver adware to as many devices as possible.\r\nhttps://securelist.com/convuster-macos-adware-in-rust/101258/\r\nPage 5 of 6\n\nKaspersky security solutions detect this adware with the following verdict: not-a-virus:HEUR:AdWare.OSX.Convuster.a.\r\nIoCs\r\nSHA-256\r\nSwift samples\r\nMach-O executables:\r\nf9615ce5f1038afd4e19d3e35643c98af1a2ee53d9bf45958c84e5a7c4529e62\r\nDisk Images:\r\n02a0842beaf5ee9ed4f0f693ba276b73d53717eca821d2506efcdef7711d66da\r\nArchives:\r\ne5871655465e31c57e27900254e281233787f44bcec5604607b0b3bbbf5a9b16\r\n182d8821182a143770e60a901486f262f63d2cfdc8bc9de3c076a80d36d02049\r\n6bc8fc9fb7693379666049659e83f25b336b6b0b5e8073e1dd69e5b3dcb9826d\r\ncbd6fb1075fc3e57ea7ac886ca218a105c307b75c37e10ca86a5779f4abeca3a\r\n02e6f4388387c940b30c9afb911686d6bee5b3a7249e986f239bbd73d9003a0d\r\n31526cfba9202086feeb658f92941b1ecd7ae1b646c75886600a991f86a843a4\r\nRust samples\r\nMach-O executables:\r\n947ae8f075fd0d1e5be0341b922c0173f0c5cfd771314ebe220207f3ed53466a\r\n77bc8b0e17e1c56fba70d8707de9718cd5c10565454fdb85c862a7f3d7e82983\r\n8898f499f334a3231695b8a60dfdfb289836da1de7a4e4e334df83a748c11e07\r\nd511e44ee6ae06228170aef1bef567e059596d259e205295b99e85de8c966354\r\nDomains\r\npost.convstats[.]com\r\nupdate.convstats[.]com\r\ntrk.convstats[.]com\r\nSource: https://securelist.com/convuster-macos-adware-in-rust/101258/\r\nhttps://securelist.com/convuster-macos-adware-in-rust/101258/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/convuster-macos-adware-in-rust/101258/"
	],
	"report_names": [
		"101258"
	],
	"threat_actors": [],
	"ts_created_at": 1775434128,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1d0cfd730f2f9981d776252d0a324d687b56f5bc.pdf",
		"text": "https://archive.orkl.eu/1d0cfd730f2f9981d776252d0a324d687b56f5bc.txt",
		"img": "https://archive.orkl.eu/1d0cfd730f2f9981d776252d0a324d687b56f5bc.jpg"
	}
}