{
	"id": "189b443a-57c2-40a2-b46a-dd460a074fe2",
	"created_at": "2026-04-06T00:19:51.915723Z",
	"updated_at": "2026-04-10T13:12:41.753933Z",
	"deleted_at": null,
	"sha1_hash": "20f0dfec437d39d1f03dc983614374390a86fc70",
	"title": "UpdateAgent Adapts Again",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40964,
	"plain_text": "UpdateAgent Adapts Again\r\nBy Jamf Threat Labs\r\nArchived: 2026-04-05 18:02:09 UTC\r\nAuthors: Jaron Bradley, Stuart Ashenbrenner and Matt Benyo\r\nDropper and Initial Instructions\r\nThe newly discovered Swift-based dropper exhibits many of the characteristics of typical dropper malware,\r\nincluding some minor system fingerprinting, endpoint registration and persistence. The second stage download\r\nand execute the functionality of droppers, in general, represent a risky class of malware that support a number of\r\nsecond-stage attacks — from malware to spyware, to adware.\r\nIn this case, Jamf Threat Labs was tipped by an increase in adware/malware threat preventions that appeared to be\r\na part of the same family. Additionally, each instance was traced to an executable named PDFCreator. This\r\nexecutable was unsigned and running from the “/Library/Application Support” directory. Upon further inspection,\r\nthe executable was determined to be written in Swift, containing suspiciously obfuscated (base64) strings.\r\nAt the time of discovery, this binary had zero hits from antivirus vendors in VirusTotal.\r\nWhen executed, this binary is responsible for reaching out to a registration server and setting up persistence on the\r\nsystem on which it runs.\r\nWhen this executable runs, the following command is run to gather the machine hardware id in order to use it as a\r\nunique identifier moving forward.\r\nThe executable then uses the following curl command to reach out to a server to register the device and acquire a\r\nbash script to be executed.\r\nThe execution of this bash script is the mach-O executable’s primary task. After pulling it from the URL, it runs\r\ndirectly from the Swift dropper without hitting the hard drive. During our analysis, the script contents were\r\nuploaded to VirusTotal and can be seen here.\r\nBased on the results we are seeing, we suspect this bash script is likely built dynamically as machines are\r\nregistered. This script performs a large number of actions. Below are just some of the interesting variables that are\r\nused which we’ve labeled with comments.\r\nAdditionally, another variable titled “URL” was set. However, it was obvious that at the time of investigation the\r\nlink meant to provide this URL value was currently down or unattainable as the $URL variable was set to a “File\r\nnot found” type error.\r\nHowever, other samples of this malicious script can be found on VT that appear to have URLs pointing to AWS\r\nS3 buckets. AWS has been made aware of the specifics.\r\nhttps://www.jamf.com/blog/updateagent-adapts-again/\r\nPage 1 of 3\n\nDropped Malware\r\nWhen the URL variable is accurately set by the server, it gets used to download a stage-2 disk image (DMG) to\r\nthe endpoint. Below, we’ve again commented on the code to describe what's happening.\r\nIn cases where the $URL is active, the downloaded DMG contained an application. The application file name held\r\nwithin the DMG appears to have been created by combining a few random words together. This application is then\r\ncopied to the /tmp directory. A handful of the ones we’ve seen are as follows:\r\nThe path to the newly created application is then stored within the $TMPFILE variable created earlier.\r\nOne interesting trick that this malware uses is that it modifies the /etc/sudoers file with the following command:\r\nThis command makes it so that the basic user can execute the script ($TMPFILE) as root without requiring a\r\npassword. This modification to the sudoers file is only possible if UpdateAgent is already running as root.\r\nThe malware then creates a user-level LaunchAgent by running a series of PlistBuddy commands. Here’s an\r\nexample of a resulting launch agent:\r\nBoth the editing of the sudoers file and the creation of persistence using the PlistBuddy command align with past\r\nworkflows done by UpdateAgent according to previous findings from Microsoft.\r\nWhen this plist loads at runtime, it will execute the temporary application. Even though it runs as a user\r\nLaunchAgent it is able to escalate to root without a password due to the previously mentioned modification made\r\nto the /etc/sudoers file.\r\nAfter the LaunchAgent is loaded, the malicious bash script sleeps for a short period of time and then performs\r\ncleanup by unmounting the DMG file and removing the changes it made to the sudoers file.\r\nOther Executables\r\nIn many circumstances, we see yet another plist and binary combination being dropped by PDFCreator\r\ncalled“ActiveDirectory”.\r\nOnce again, in the VirusTotal screenshot above, this binary is seen as clean.\r\nAfter close examination, we noted that this executable is almost identical to the PDFCreator executable. The\r\nprimary difference is that it reaches out to a different URL from which it should load a bash script.\r\nIn the cases that we observed, this downloaded bash script would send a simple check-in event to the cloud. If the\r\ncontents of this URL change, the victim computer can perform any given instructions when it checks in next.\r\nConclusion\r\nThe authors of the UpdateAgent malware remain vigilant in keeping it up to date. It is known for having a well-built backend that allows itself to be easily updated, and although we’ve only seen adware families dropped by it,\r\nhttps://www.jamf.com/blog/updateagent-adapts-again/\r\nPage 2 of 3\n\nsecurity experts are concerned that there might be other malicious plans for the future with such a well-built\r\ninfrastructure.\r\nJamf Protect users are covered against the known, existing families of this malware, including various different\r\ndetection surrounding suspicious behaviors and potentially unwanted applications, thanks to the frequently\r\nupdated behavioral analytics.\r\nIoC's\r\nThreat actors and malware authors are savvy to updating their toolsets to continue compromising\r\nendpoints.\r\nSo, why not rely on a solution, like Jamf Protect, that is consistently updated and has the strength of the Jamf\r\nThreat Labs behind it to prevent the latest threats?\r\nSubscribe to the Jamf Blog\r\nHave market trends, Apple updates and Jamf news delivered directly to your inbox.\r\nTo learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy\r\nPolicy.\r\nSource: https://www.jamf.com/blog/updateagent-adapts-again/\r\nhttps://www.jamf.com/blog/updateagent-adapts-again/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.jamf.com/blog/updateagent-adapts-again/"
	],
	"report_names": [
		"updateagent-adapts-again"
	],
	"threat_actors": [],
	"ts_created_at": 1775434791,
	"ts_updated_at": 1775826761,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20f0dfec437d39d1f03dc983614374390a86fc70.pdf",
		"text": "https://archive.orkl.eu/20f0dfec437d39d1f03dc983614374390a86fc70.txt",
		"img": "https://archive.orkl.eu/20f0dfec437d39d1f03dc983614374390a86fc70.jpg"
	}
}