{ "id": "e7f614a5-f5e3-4efd-a64a-6610af00c8c1", "created_at": "2026-04-06T00:07:51.801524Z", "updated_at": "2026-04-10T03:21:36.685779Z", "deleted_at": null, "sha1_hash": "71d5f6f2af96144e5e81aabcaa281c0f629bfa55", "title": "APT Actors Embed Malware within macOS Flutter Applications", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2421501, "plain_text": "APT Actors Embed Malware within macOS Flutter Applications\r\nBy Jamf Threat Labs\r\nArchived: 2026-04-05 20:16:52 UTC\r\nJamf Threat Labs discovered malware samples believed to be tied to the Democratic People's Republic of Korea\r\n(DPRK), aka North Korea, that are built using Flutter, which by design provides obfuscation to the malicious\r\ncode. JTL performs a deep dive into how the malicious code works to help protect users on macOS devices.\r\nBy Ferdous Saljooki and Jaron Bradley\r\nIntroduction\r\nIn late October, Jamf Threat Labs discovered samples uploaded to VirusTotal that are reported as clean despite\r\nshowing malicious intent. The domains and techniques in the malware align closely with those used in other\r\nDPRK malware and show signs that, at one point in time, the malware was signed and had even temporarily\r\npassed Apple’s notarization process. It’s unclear in this case if the malware has been used against any targets or if\r\nthe attacker is preparing for a new form of delivery.\r\nThe Packaging\r\nThe discovered malware came in three forms. A Go variant, a Python variant built with Py2App and a Flutter-built\r\napplication. This blog post will focus on the Flutter-built application as we find it the most interesting due to its\r\ncomplexity in reversing.\r\nhttps://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/\r\nPage 1 of 4\n\nFlutter is a framework developed by Google that simplifies app design for cross-platform applications. If a\r\ndeveloper is designing an app in which they want to look consistent across macOS, iOS and Android, Flutter is a\r\nviable option.\r\nApplications built using Flutter lead to a uniquely designed app layout that provides a large amount of obscurity to\r\nthe code. This is due to the fact that code written into the main app logic using the Dart programming language is\r\ncontained within a dylib that is later loaded by the Flutter engine.\r\nThe image above shows the layout of a standard Flutter application with two notable files called out — a main\r\nFlutter application and a dylib file that gets assigned the name App. To make matters more confusing, this dylib is\r\nnot directly loaded by the main application. Due to the complex nature in which Flutter compiles its applications,\r\nthis dylib is not listed as a shared Library within the primary machO file. While there is nothing inherently\r\nmalicious about this app architecture, it just happens to provide a good avenue of obfuscation by design.\r\nThe Malware\r\nThe Flutter applications that were created by the malware author are considered to be a stage one payload. We\r\ninitially identified six infected applications, five of which were signed using a developer account signature. At the\r\ntime of our discovery, Apple had already revoked these signatures.\r\nOne application, titled New Updates in Crypto Exchange (2024-08-28).app\r\n(7cb8a9db65009f780d4384d5eaba7a7a5d7197c4), was built using Flutter and developed with the Dart\r\nprogramming language. When executed, the victim is presented with a functional minesweeper game. The game\r\nitself appears to be a clone of a basic open-source Flutter game on GitHub which is a project designed for iOS. By\r\ncloning the project and modifying some project settings, it can easily be compiled to run on macOS.\r\nDue to modifications made to the app, a network request is made to the domain mbupdate[.]linkpc[.]net upon\r\nstarting the app. This caught our attention as this domain has been used by DPRK malware in the past.\r\nBelow is the GET request for the stage two malware over HTTPS.\r\nUnfortunately, at the time of our analysis, the server was responding with a 404 error message.\r\nAs expected, due to the app architecture, the compiled Dart code makes it into the App dylib file located at the\r\npath New Updates in Crypto Exchange (2024-08-\r\n28).app/Contents/Frameworks/App.framework/Versions/A/App\r\n(a2cd8cf70629b5bb0ea62278be627e21645466a3).\r\nAs we see from the nm output below, the presence of snapshot-related symbols such as _kDartVmSnapshotData\r\nand _kDartIsolateSnapshotInstructions suggests that the application’s operational logic is heavily embedded\r\nwithin precompiled Dart snapshots, complicating analysis and decompilation efforts.\r\nTaking a closer look at strings, we can quickly determine some of the supported functionality. As expected, we see\r\nthe domain and user-agent strings within the dylib but the presence of the osascript string is quite interesting as\r\nit likely indicates capabilities supporting AppleScript execution.\r\nhttps://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/\r\nPage 2 of 4\n\nFor testing purposes, we redirected traffic from the malicious domain within a local test environment and\r\nconfirmed that the malware does indeed execute any AppleScript code returned by a valid HTTP response. Our\r\ntesting showed the stage two AppleScript must be written backward in order to be successfully executed by the\r\nmalware.\r\nBelow is an example of a dialog box message executed via a remote Applescript.\r\nIn the past, we have observed DPRK adapting to use native AppleScript payloads, so we suspect similar payloads\r\nmay be leveraged by the attacker to compromise macOS systems.\r\nGolang Variant\r\nWe identified a Golang variant of the malware with similar functionality, titled New Era for Stablecoins and\r\nDeFi, CeFi (Protected).app (0b9b61d0fffd52e6c37df37dfdffefc0e121acf7). Our friends at SentinelOne put out\r\na recent blog post on an infection vector that uses this exact same file name, attributing it to the same threat actor.\r\nAs mentioned, this variant was previously signed and notarized by Apple but its signature has since been revoked.\r\nSimilar to the Flutter variant, the executable titled Hello (bc6b446bad7d76909d84e7948c369996b38966d1),\r\nmakes a GET request to hXXps://mbupdate[.]linkpc[.]net/update.php using the user-agent\r\nCustomUpdateUserAgent .\r\nIt invokes osascript to run any AppleScript payload received in the server response.\r\nPython Variant\r\nThe Python variant is packaged as a standalone application bundle using Py2App.\r\nThe app bundle titled Runner.app (ee22e7768e0f4673ab954b2dd542256749502e97) is signed ad-hoc and\r\nlaunches a functional Notepad application.\r\nThe boot script located at Runner.app/Contents/Resources/__boot__.py executes a Python script named\r\nnotepad_.py (6f280413a40d41b8dc828250bbb8940b219940c5). This script leverages tkinter, a built-in Python\r\nlibrary for creating GUI applications, for features like opening, editing and saving files.\r\nHowever, embedded within this script is malicious logic that fetches and executes remote code. Similar to the\r\nFlutter variant, the init method sends a GET request to hXXps://mbupdate[.]linkpc[.]net/update.php . If a valid\r\nresponse is received, the content is passed to the update() method.\r\nThe update() method uses osascript to execute the server response as AppleScript, allowing the attacker to\r\nrun arbitrary commands or payloads on the victim’s system.\r\nConclusion\r\nThe malware discovered in this blog shows strong signs that it is likely testing for greater weaponization. This\r\ntheory stems from the fact that the actor is known for putting together highly convincing social engineering\r\ncampaigns from start to finish and the file names seen here do not align with the content displayed to the user\r\nhttps://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/\r\nPage 3 of 4\n\nwithin the Flutter-built applications. This could perhaps be an attempt to see if a properly signed app with\r\nmalicious code obscured within a dylib could get approved by Apple’s notarization server, as well as slide under\r\nthe radar of antivirus vendors.\r\nIt is not unheard of for actors to embed malware within a Flutter-based application, however, this is the first we’ve\r\nseen of this attacker using it to go after macOS devices. Though the question remains open if this was real\r\nmalware or a test for a new way to weaponize malware, we remain vigilant in monitoring for further activity by\r\nthe actor.\r\nIOCs\r\nJamf Threat Labs has your six...\r\nwhile Jamf solutions cover everything else!\r\nSource: https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/\r\nhttps://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/" ], "report_names": [ "jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434071, "ts_updated_at": 1775791296, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/71d5f6f2af96144e5e81aabcaa281c0f629bfa55.pdf", "text": "https://archive.orkl.eu/71d5f6f2af96144e5e81aabcaa281c0f629bfa55.txt", "img": "https://archive.orkl.eu/71d5f6f2af96144e5e81aabcaa281c0f629bfa55.jpg" } }