{
	"id": "8dcb6977-7182-4add-a417-0502cdf48c55",
	"created_at": "2026-04-10T03:20:40.469417Z",
	"updated_at": "2026-04-10T03:22:18.207128Z",
	"deleted_at": null,
	"sha1_hash": "3f780cfb0f5b50f46b0ab544610e6279810af77c",
	"title": "New macOS malware HZ RAT gives attackers backdoor access to Macs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 778396,
	"plain_text": "New macOS malware HZ RAT gives attackers backdoor access to\r\nMacs\r\nBy Joshua Long\r\nPublished: 2024-09-05 · Archived: 2026-04-10 03:02:09 UTC\r\nMalware\r\nPosted on September 5th, 2024 by\r\nThere’s a new family of Mac malware, and—surprise!—it isn’t primarily a stealer this time. HZ RAT is macOS\r\nmalware that gives remote attackers complete control of an infected Mac.\r\nHere’s everything you need to know to stay safe from this new Mac malware threat.\r\nWhat does HZ RAT do?\r\nHZ RAT is a remote access Trojan (RAT)—a tool that gives an attacker full remote administration privileges. The\r\nearliest known version of this RAT was observed in 2022 targeting Windows PCs, and now it has arrived on the\r\nMac.\r\nIn general, an attacker who controls a RAT can send commands to an infected system just as though they were\r\nsitting in front of it. This can potentially include downloading and running additional tools and malware, taking\r\nhttps://www.intego.com/mac-security-blog/new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs/\r\nPage 1 of 5\n\nscreenshots, logging keystrokes, and more. RATs also allow attackers to do all the typical things stealer malware\r\ndoes—i.e. collecting and exfiltrating sensitive data.\r\nData collection appears to be one of the main purposes of HZ RAT in particular. The Mac version makes a list of\r\nwhich apps are installed and collects user information from WeChat and DingTalk (Mac apps commonly used in\r\nChina). It also gathers the username and site combinations from Google Password Manager.\r\nWhile the collected Google Password Manager data doesn’t include passwords, the username-and-site pairs could\r\npotentially be used along with leaked passwords from past data breaches; unfortunately, many people reuse\r\npasswords across multiple sites.\r\nHow does HZ RAT spread?\r\nIt isn’t yet known how victims may have encountered HZ RAT installers in the first place. However, one known\r\nTrojan horse that installs HZ RAT is a maliciously modified version of OpenVPN Connect, a common VPN app.\r\nIt’s possible that this Trojan horse might be distributed through means such as malicious Google Ads that appear\r\nat the top of search results (a very common malware distribution tactic in 2024). Or it might be distributed in more\r\ntargeted, watering-hole style attacks, or through some other distribution method.\r\nIn any case, it’s important to always download apps from the App Store (if available there) or from the original\r\ndeveloper’s site (which, ideally, you’ve already visited and bookmarked, so you don’t have to Google it).\r\nHow can I keep my Mac safe from RATs and other malware?\r\nIf you use Intego VirusBarrier, you’re already protected from this malware. Intego detects these samples as\r\nOSX/HZRat.ext.\r\nIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is\r\na powerful solution designed to protect against, detect, and eliminate Mac malware.\r\nIf you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a\r\ntrusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that\r\nincludes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible\r\nwith Apple’s current Mac operating system, macOS Sonoma.\r\nOne of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in\r\nuser-accessible areas of the device. Just attach your iOS or iPadOS device to your Mac via a USB cable and open\r\nVirusBarrier.\r\nIf you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.\r\nIndicators of compromise (IOCs)\r\nhttps://www.intego.com/mac-security-blog/new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs/\r\nPage 2 of 5\n\nFollowing are SHA-256 hashes of malware samples from this campaign:\r\n0cca3449ff12cb75c9fd9cf4628b5d72f5ac67d1954dc97d9830436207c4c917\r\n1400210f2eedab36caff8ce89d6d19859ba3116775981b2be8b5069ef109c2c3\r\n1e07585f52be4605be0459bc10c67598eebe8c5d003d6e2d42f4dbbd037e74c1\r\n5d78fc86a389247d768a6bdf46f3e4fd697ed87c133b99ee6865809e453b2908\r\n6210ec0e905717359e01358118781a148b6d63834a54a25a95e32e228598c391\r\n74c92a7bc5f909f4e36d65ee1eb254c438f47f1a7d559d7629bccafd2d2979db\r\n7af7422edf7c558b6215489c020673e195e5eedd99ae330bb90066924f5cf661\r\n87393d937407a6fe9e69dad3836e83866107809980e20a40ae010d7d72f90854\r\nc689113a9a2fca2148caa90f71115c2c2bafeac36edebde4ffc63f87619033a9\r\nd006d5864108094a82315ee60ce057afc8be09546ffaa1f9cc63a51a96764114\r\nd9b0fcd3b20a82b97b4c74deebc7a2abb8fd771eaa12aaf66bdd5cdeaa30f706\r\ne02e264a745e046f2a85ad90698fdd241c7902e73572a54995a8b20349bef940\r\neb7a8ddf8fc13efcc4785226d0085379399c088604a8a451b8800b11e836a5af\r\nf39aafb9489b9b60b34e3d4e78cd9720446b6247531b81cbd4877804b065a25f\r\nf3c101cd1e7be4ce6afe5d0236bfdd5b43870ff03556908f75692585cfd55c55\r\nffeed91c223a718c1afd6d8f059a76ec97eb0eae6c4b2072b343be1b4eba09b8\r\nThis malware campaign leverages the following command-and-control (C2) IP addresses, most of which appear to\r\nbe located in China:\r\n20.60.250[.]230\r\n29.40.48[.]21\r\n47.100.65[.]182\r\n58.49.21[.]113\r\n111.21.246[.]147\r\n113.125.92[.]32\r\n120.53.133[.]226\r\n123.232.31[.]206\r\n218.65.110[.]180\r\n218.193.83[.]70\r\nNetwork administrators can check logs to try to identify whether any computers may have attempted to contact\r\nthese IPs in recent weeks, which could indicate a possible infection.\r\nDo security vendors detect this by any other names?\r\nOther antivirus vendors’ names for this malware may include variations of the following:\r\nA Variant Of OSX/HZRat.A, ABBackdoor.PNBT-, Backdoor:MacOS/HZRat.A, Backdoor.HZRat/OSX!1.10239\r\n(CLASSIC), BackDoor.Rat.504, Backdoor/OSX.HZRat.57832, Backdoor/OSX.HZRat.65736,\r\nBackdoor/OSX.HZRat.81033750, Gen:Variant.Trojan.MAC.HZRat.1 (B), HEUR:Backdoor.OSX.HZRat.a,\r\nHEUR:Backdoor.OSX.HZRat.gen, MacOS:Agent-ANR [Trj], MacOS:HZRat-A [Trj], MacOS/ABTrojan.AWJF-,\r\nMacOS/ABTrojan.BFPE-, MacOS/ABTrojan.DIJE-, MacOS/ABTrojan.FYPM-, MacOS/ABTrojan.JIKJ-,\r\nhttps://www.intego.com/mac-security-blog/new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs/\r\nPage 3 of 5\n\nMacOS/ABTrojan.MAOD-, MacOS/ABTrojan.NRFK-, MacOS/ABTrojan.RCIO-, MacOS/ABTrojan.RQNI-,\r\nMacOS/ABTrojan.SZVP-, MacOS/ABTrojan.URYF-, MacOS/ABTrojan.XYJG-, MacOS/ABTrojan.ZCRE-,\r\nMacOS/ABTrojan.ZYUF-, Malware.OSX/GM.Agent.IJ, Malware.OSX/GM.HZRat.WL,\r\nOsx.Backdoor.Hzrat.Azlw, Osx.Backdoor.Hzrat.Bdhl, Osx.Backdoor.Hzrat.Cgow, Osx.Backdoor.Hzrat.Cwnw,\r\nOsx.Backdoor.Hzrat.Iajl, Osx.Backdoor.Hzrat.Kjgl, Osx.Backdoor.Hzrat.Lajl, Osx.Backdoor.Hzrat.Lcnw,\r\nOsx.Backdoor.Hzrat.Mqil, Osx.Backdoor.Hzrat.Msmw, Osx.Backdoor.Hzrat.Ogil, Osx.Backdoor.Hzrat.Qimw,\r\nOsx.Backdoor.Hzrat.Xtjl, Osx.Backdoor.Hzrat.Zimw, Osx.Backdoor.Hzrat.Zmhl, OSX.Trojan.Gen, OSX/Agent,\r\nOSX/GM.Agent.IJ, OSX/HCSSET.ext, OSX/HZRat-A, OSX/HZRat.A!tr, OSX/RootRat,\r\nTROJ_FRS.0NA103HU24, Trojan ( 0040f50d1 ), Trojan:MacOS/HzRat.A!MTB, Trojan:MacOS/Multiverze,\r\nTrojan.MAC.Generic.119695 (B), Trojan.MAC.Generic.119751 (B), Trojan.MAC.Generic.119785 (B),\r\nTrojan.MAC.Generic.D1D38F, Trojan.MAC.Generic.D1D3C7, Trojan.MAC.Generic.D1D3E9,\r\nTrojan.OSX.Hzrat, Trojan.OSX.HZRat.4!c, Trojan.OSX.HZRat.m!c, Trojan.Trojan.MAC.HZRat.1,\r\nTrojan[Backdoor]/MacOS.HZRat, Trojan[Backdoor]/OSX.HZRat.gen, UDS:Backdoor.OSX.HZRat,\r\nUDS:DangerousObject.Multi.Generic, XAR/ABTrojan.MJTT-How can I learn more?\r\nFor more technical details about this malware, you can read Sergy Puzan’s report.\r\nEach week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple\r\nnews, including security and privacy stories, and offer practical advice on getting the most out of your Apple\r\ndevices. Be sure to follow the podcast to make sure you don’t miss any episodes.\r\nYou can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest\r\nApple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:  \r\n         \r\nAbout Joshua Long\r\nJoshua Long (@theJoshMeister), formerly Intego’s Chief Security Analyst, is a renowned security researcher\r\nand writer, and an award-winning public speaker. Josh has a master’s degree in IT concentrating in Internet\r\nSecurity and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh\r\nfor discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for well over\r\n25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X/Twitter, LinkedIn,\r\nFacebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. — View all posts by\r\nJoshua Long →\r\nhttps://www.intego.com/mac-security-blog/new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs/\r\nPage 4 of 5\n\nSource: https://www.intego.com/mac-security-blog/new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs/\r\nhttps://www.intego.com/mac-security-blog/new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.intego.com/mac-security-blog/new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs/"
	],
	"report_names": [
		"new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs"
	],
	"threat_actors": [],
	"ts_created_at": 1775791240,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f780cfb0f5b50f46b0ab544610e6279810af77c.pdf",
		"text": "https://archive.orkl.eu/3f780cfb0f5b50f46b0ab544610e6279810af77c.txt",
		"img": "https://archive.orkl.eu/3f780cfb0f5b50f46b0ab544610e6279810af77c.jpg"
	}
}