{
	"id": "abe40ee1-2484-437f-a36a-d85dfdcfc5eb",
	"created_at": "2026-04-06T00:18:39.306604Z",
	"updated_at": "2026-04-10T03:21:29.562362Z",
	"deleted_at": null,
	"sha1_hash": "5899132e6f2769a403913d4789e4b65e1048226c",
	"title": "Initial research exposing JOKERSPY",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 702555,
	"plain_text": "Initial research exposing JOKERSPY\r\nBy Colson Wilhoit, Salim Bitam, Seth Goodwin, Andrew Pease, Ricardo Ungureanu\r\nPublished: 2023-06-21 · Archived: 2026-04-05 14:48:57 UTC\r\nKey takeaways\r\nThis is an initial notification of an active intrusion with additional details to follow\r\nREF9134 leverages custom and open source tools for reconnaissance and command and control\r\nTargets of this activity include a cryptocurrency exchange in Japan\r\nPreamble\r\nThis research article explores a recently discovered intrusion we’re calling REF9134, which involves using the sh.py\r\nbackdoor to deploy the macOS Swiftbelt enumeration tool. sh.py and xcc have recently been dubbed JOKERSPY by\r\nBitdefender.\r\nSpecifically, this research covers:\r\nHow Elastic Security Labs identified reconnaissance from the adversary group\r\nThe adversary’s steps to evade detection using xcc , installing the sh.py backdoor, and deploying enumeration tools\r\nA deeper look at this attack may be published at a later date.\r\nOverview\r\nIn late May of 2023, an adversary with existing access in a prominent Japanese cryptocurrency exchange tripped one of our\r\ndiagnostic endpoint alerts that detected the execution of a binary ( xcc ). xcc is not trusted by Apple, and the adversary self-signed using the native macOS tool codesign. While this detection in itself was not necessarily innocuous, the industry\r\nvertical and additional activity we observed following these initial alerts caught our eye and caused us to pay closer\r\nattention.\r\nFollowing the execution of xcc , we observed the threat actor attempting to bypass TCC permissions by creating their own\r\nTCC database and trying to replace the existing one. On June 1st a new Python-based tool was seen executing from the same\r\ndirectory as xcc and was utilized to execute an open-source macOS post-exploitation enumeration tool known as Swiftbelt.\r\nAnalysis\r\nREF9134 is an intrusion into a large Japan-based cryptocurrency service provider focusing on asset exchange for trading\r\nBitcoin, Ethereum, and other common cryptocurrencies.\r\nThe xcc binary\r\nxcc ( d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8 ) is a self-signed multi-architecture\r\nbinary written in Swift which is used to evaluate current system permissions. The version observed by Elastic Security Labs\r\nis signed as XProtectCheck-55554944f74096a836b73310bd55d97d1dff5cd4 , and has a code signature resembling\r\npublicly known and untrusted payloads.\r\nInitial detection of the xcc binary\r\nhttps://www.elastic.co/security-labs/inital-research-of-jokerspy\r\nPage 1 of 7\n\nTo identify other binaries signed with the same identifier, we converted XProtectCheck-55554944f74096a836b73310bd55d97d1dff5cd4 to hexadecimal and searched VirusTotal to identify 3 additional samples (\r\ncontent:\r\n{5850726f74656374436865636b2d35353535343934346637343039366138333662373333313062643535643937643164666635636434}\r\n).\r\nEach contained the same core functionality with structural differences. These discrepancies may indicate that these variants\r\nof xcc were developed to bypass endpoint capabilities that interfered with execution.\r\nShortly after the creation of xcc , researchers observed the threat actor copying /Users/Shared/tcc.db over the existing TCC\r\ndatabase, /Library/Application Support/com.apple.TCC/TCC.db. This may enable the threat to avoid TCC prompts\r\nvisible to system users while simultaneously abusing a directory with broad file write permissions.\r\nXCode artifacts\r\nDuring analysis of this binary, researchers identified two unique paths, /Users/joker/Developer/Xcode/DerivedData/ and\r\n/Users/joker/Downloads/Spy/XProtectCheck/XProtectCheck/ , which stood out as anomalous. The default path for\r\ncompiling code with Xcode is /Users/[username]/Developer/Xcode/DerivedData.\r\nAbusing TCC\r\nThese introspection permissions are managed by the native Transparency, Consent, and Control (TCC) feature. Researchers\r\ndetermined that xcc checks FullDiskAccess and ScreenRecording permissions, as well as checking if the screen is currently\r\nlocked and if the current process is a trusted accessibility client.\r\nxcc queries current system permissions\r\nUpon successfully executing in our Detonate environment, the following results were displayed:\r\nTCC permissions queried by xcc\r\nOnce the custom TCC database was placed in the expected location, the threat actor executed the xcc binary.\r\nhttps://www.elastic.co/security-labs/inital-research-of-jokerspy\r\nPage 2 of 7\n\nThreat actor creating/modifying, moving a TCC database, and then executing xcc\r\nInitial access\r\nThe xcc binary was executed via bash by three separate processes\r\n/Applications/IntelliJ IDEA.app/Contents/MacOS/idea\r\n/Applications/iTerm.app/Contents/MacOS/iTerm2\r\n/Applications/Visual Studio Code.app/Contents/MacOS/Electron.\r\nWhile we are still investigating and continuing to gather information, we strongly believe that the initial access for this\r\nmalware was a malicious or backdoored plugin or 3rd party dependency that provided the threat actor access. This aligns\r\nwith the connection that was made by the researchers at Bitdefender who correlated the hardcoded domain found in a\r\nversion of the sh.py backdoor to a Tweet about an infected macOS QR code reader which was found to have a malicious\r\ndependency.\r\nDeployed cryptographic libraries\r\nOn May 31st, researchers observed three non-native DyLibs deployed to /Users/shared/keybag/ called\r\nlibcrypto.1.0.0.dylib , libncursesw.5.dylib , and libssl.1.0.0.dylib. On MacOS, keys for file and keychain Data Protection\r\nare stored in keybags, and pertain to iOS, iPadOS, watchOS, and tvOS. At this time, researchers propose that this staging\r\nserves a defense evasion purpose and speculate that they may contain useful vulnerabilities. The threat actor may plan to\r\nintroduce these vulnerabilities to otherwise patched systems or applications.\r\nThe sh.py backdoor\r\nsh.py is a Python backdoor used to deploy and execute other post-exploitation capabilities like Swiftbelt .\r\nThe malware loads its configuration from ~/Public/Safari/sar.dat. The configuration file contains crucial elements such as\r\ncommand-and-control (C2) URLs, a sleep timer for beaconing purposes (the default value is 5 seconds), and a unique nine-digit identifier assigned to each agent.\r\nExecution of sh.py with the C2 URL provided as a parameter\r\nAs part of its periodic beaconing, the malware gathers and transmits various system information. The information sent\r\nincludes:\r\nHostname\r\nUsername\r\nDomain name\r\nCurrent directory\r\nThe absolute path of the executable binary\r\nOS version\r\nIs 64-bit OS\r\nIs 64-bit process\r\nPython version\r\nBelow is a table outlining the various commands that can be handled by the backdoor:\r\nCommand Description\r\nsk Stop the backdoor's execution\r\nhttps://www.elastic.co/security-labs/inital-research-of-jokerspy\r\nPage 3 of 7\n\nCommand Description\r\nl List the files of the path provided as parameter\r\nc Execute and return the output of a shell command\r\ncd Change directory and return the new path\r\nxs Execute a Python code given as a parameter in the current context\r\nxsi Decode a Base64-encoded Python code given as a parameter, compile it, then execute it\r\nr Remove a file or directory from the system\r\ne Execute a file from the system with or without parameter\r\nu Upload a file to the infected system\r\nd Download a file from the infected system\r\ng Get the current malware's configuration stored in the configuration file\r\nw Override the malware's configuration file with new values\r\nSwiftbelt\r\nOn June 1st, the compromised system registered a signature alert for MacOS.Hacktool.Swiftbelt, a MacOS enumeration\r\ncapability inspired by SeatBelt and created by the red-teamer Cedric Owens. Unlike other enumeration methods, Swiftbelt\r\ninvokes Swift code to avoid creating command line artifacts. Notably, xcc variants are also written using Swift.\r\nThe signature alert indicated that Swiftbelt was written to /Users/shared/sb and executed using the bash shell interpreter, sh.\r\nThe full command line observed by researchers was Users/Shared/sb /bin/sh -c /users/shared/sb \\\u003e /users/shared/sb.log\r\n2\\\u003e\u00261 , demonstrating that the threat actor captured results in sb.log while errors were directed to STDOUT.\r\nDiamond Model\r\nElastic Security utilizes the Diamond Model to describe high-level relationships between the adversaries, capabilities,\r\ninfrastructure, and victims of intrusions. While the Diamond Model is most commonly used with single intrusions, and\r\nleveraging Activity Threading (section 8) as a way to create relationships between incidents, an adversary-centered (section\r\n7.1.4) approach allows for a, although cluttered, single diamond.\r\nhttps://www.elastic.co/security-labs/inital-research-of-jokerspy\r\nPage 4 of 7\n\nREF9134 Diamond Model\r\nObserved tactics and techniques\r\nMITRE ATT\u0026CK Tactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an\r\naction. These are the tactics observed by Elastic Security Labs in this campaign:\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nDiscovery\r\nMITRE ATT\u0026CK Techniques / Sub techniques\r\nTechniques and Sub techniques represent how an adversary achieves a tactical goal by performing an action. These are the\r\ntechniques observed by Elastic Security Labs in this campaign:\r\nCommand and Scripting Interpreter\r\nDylib Hijacking\r\nPotential Exploitation for Privilege Execution\r\nPotential Abuse Elevation Control Mechanism\r\nHide Artifacts\r\nMasquerading\r\nObfuscating Files or Information\r\nSubvert Trust Controls\r\nApplication Window Discovery\r\nScreen Capture\r\nCrytpoistic Software\r\nData from Local System\r\nDetection logic\r\nYARA\r\nhttps://www.elastic.co/security-labs/inital-research-of-jokerspy\r\nPage 5 of 7\n\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the JOKERSPY\r\nbackdoor and SwiftBelt tool.\r\nrule Macos_Hacktool_JokerSpy {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-06-19\"\r\n last_modified = \"2023-06-19\"\r\n os = \"MacOS\"\r\n arch = \"x86\"\r\n category_type = \"Hacktool\"\r\n family = \"JokerSpy\"\r\n threat_name = \"Macos.Hacktool.JokerSpy\"\r\n reference_sample = \"d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8\"\r\n license = \"Elastic License v2\"\r\n strings:\r\n $str1 = \"ScreenRecording: NO\" fullword\r\n $str2 = \"Accessibility: NO\" fullword\r\n $str3 = \"Accessibility: YES\" fullword\r\n $str4 = \"eck13XProtectCheck\"\r\n $str5 = \"Accessibility: NO\" fullword\r\n $str6 = \"kMDItemDisplayName = *TCC.db\" fullword\r\n condition:\r\n 5 of them\r\n}\r\nrule MacOS_Hacktool_Swiftbelt {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2021-10-12\"\r\n last_modified = \"2021-10-25\"\r\n threat_name = \"MacOS.Hacktool.Swiftbelt\"\r\n reference_sample = \"452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1\"\r\n os = \"macos\"\r\n arch_context = \"x86\"\r\n license = \"Elastic License v2\"\r\n strings:\r\n $dbg1 = \"SwiftBelt/Sources/SwiftBelt\"\r\n $dbg2 = \"[-] Firefox places.sqlite database not found for user\"\r\n $dbg3 = \"[-] No security products found\"\r\n $dbg4 = \"SSH/AWS/gcloud Credentials Search:\"\r\n $dbg5 = \"[-] Could not open the Slack Cookies database\"\r\n $sec1 = \"[+] Malwarebytes A/V found on this host\"\r\n $sec2 = \"[+] Cisco AMP for endpoints found\"\r\n $sec3 = \"[+] SentinelOne agent running\"\r\n $sec4 = \"[+] Crowdstrike Falcon agent found\"\r\n $sec5 = \"[+] FireEye HX agent installed\"\r\n $sec6 = \"[+] Little snitch firewall found\"\r\n $sec7 = \"[+] ESET A/V installed\"\r\n $sec8 = \"[+] Carbon Black OSX Sensor installed\"\r\n $sec9 = \"/Library/Little Snitch\"\r\n $sec10 = \"/Library/FireEye/xagt\"\r\n $sec11 = \"/Library/CS/falcond\"\r\n $sec12 = \"/Library/Logs/PaloAltoNetworks/GlobalProtect\"\r\n $sec13 = \"/Library/Application Support/Malwarebytes\"\r\nhttps://www.elastic.co/security-labs/inital-research-of-jokerspy\r\nPage 6 of 7\n\n$sec14 = \"/usr/local/bin/osqueryi\"\r\n $sec15 = \"/Library/Sophos Anti-Virus\"\r\n $sec16 = \"/Library/Objective-See/Lulu\"\r\n $sec17 = \"com.eset.remoteadministrator.agent\"\r\n $sec18 = \"/Applications/CarbonBlack/CbOsxSensorService\"\r\n $sec19 = \"/Applications/BlockBlock Helper.app\"\r\n $sec20 = \"/Applications/KextViewr.app\"\r\n condition:\r\n 6 of them\r\n}\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://www.bitdefender.com/blog/labs/fragments-of-cross-platform-backdoor-hint-at-larger-mac-os-attack\r\nObservations\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\napp.influmarket[.]org Domain n/a sh.py domain\r\nd895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8\r\nSHA-256\r\n/Users/Shared/xcc Macos.Hacktool.Jok\r\n8ca86f78f0c73a46f31be366538423ea0ec58089f3880e041543d08ce11fa626\r\nSHA-256\r\n/Users/Shared/sb MacOS.Hacktool.Sw\r\naa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1\r\nSHA-256\r\n/Users/Shared/sh.py sh.py script\r\nSource: https://www.elastic.co/security-labs/inital-research-of-jokerspy\r\nhttps://www.elastic.co/security-labs/inital-research-of-jokerspy\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/inital-research-of-jokerspy"
	],
	"report_names": [
		"inital-research-of-jokerspy"
	],
	"threat_actors": [],
	"ts_created_at": 1775434719,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5899132e6f2769a403913d4789e4b65e1048226c.pdf",
		"text": "https://archive.orkl.eu/5899132e6f2769a403913d4789e4b65e1048226c.txt",
		"img": "https://archive.orkl.eu/5899132e6f2769a403913d4789e4b65e1048226c.jpg"
	}
}