{
	"id": "da6918cb-ecf9-4e52-a42a-62294e02687e",
	"created_at": "2026-04-06T00:12:36.657847Z",
	"updated_at": "2026-04-10T03:20:26.398603Z",
	"deleted_at": null,
	"sha1_hash": "9d7d4d8e5b349779b18056db1da247c859ef238c",
	"title": "From the Front Lines | Unsigned macOS oRAT Malware Gambles For The Win",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6405251,
	"plain_text": "From the Front Lines | Unsigned macOS oRAT Malware Gambles\r\nFor The Win\r\nBy SentinelOne\r\nPublished: 2022-05-09 · Archived: 2026-04-05 22:36:42 UTC\r\nResearchers looking into a new APT group targeting gambling sites with a variety of cross-platform malware\r\nrecently identified a version of oRAT malware targeting macOS users and written in Go. While neither RATs nor\r\nGo malware are uncommon on any platform, including the Mac, the development of such a tool by a previously\r\nunknown APT is an interesting turn, signifying the increasing need for threat actors to address the rising\r\noccurrence of Macs among their intended targets and victims. In this post, we dig deeper into the technical details\r\nof this novel RAT to understand better how it works and how security teams can detect it in their environments.\r\noRAT Distribution\r\nThe oRAT malware is distributed via a Disk Image masquerading as a collection of Bitget Apps. The disk image\r\ncontains a package with the name Bitget Apps.pkg and the distribution identifier com.adobe.pkg.Bitget .\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/\r\nPage 1 of 8\n\nThe disk image and installer package are notable for two reasons: neither has a valid developer signature, and the\r\nlatter doesn’t actually install any files and only contains a preinstall script, a succinct bash shell script whose\r\npurpose is to deliver a payload to the /tmp directory, give the payload executable permissions, and then launch\r\nit.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/\r\nPage 2 of 8\n\nPrecisely what kind of lure the threat actors use to convince targets to download and launch the dropper is\r\nunknown at this time, but given that the target would need to override default security warnings from Gatekeeper,\r\nit is likely either that the users are sourcing the malware from an environment where this is typical (e.g., a 3rd-party software distribution site that regularly delivers unsigned software) or users have been pre-groomed to\r\nbypass Gatekeeper during a social engineering engagement of some kind.\r\nIn either case, the fact that there’s no deliverable from the user’s perspective is a risky gamble on the part of the\r\nthreat actors. After running the installer and finding that it did not provide whatever they were expecting, users are\r\nlikely to become suspicious. This might suggest the campaign was broadly targeted and that the threat actors were\r\nplaying a numbers game, happy to sweep up opportunistic infections as they occurred.\r\nThe oRAT Payload\r\nThings get more interesting when we examine the darwinx64 payload dropped in the /tmp folder. The binary\r\ndoesn’t define any Symbols, and outputting the list of Sections tells us that the file has been packed with UPX.\r\nPacked files like this are opaque to static analysis, but fortunately standard UPX is very easy to unpack thanks to\r\nthe UPX utility itself. Dumping the strings tells us that it was packed with UPX 3.96, the most recently released\r\nversion available.\r\nThe packed binary is around 3MB in size, but after unpacking we are presented with a massive ~10MB file. Such\r\nlarge file sizes are typical of cross-platform malware, particularly when binaries are compiled in Go, since they\r\ncontain the entire run-time for the language along with a number of supporting libraries.\r\nFortunately, from a reverse engineering perspective, we can easily ignore most of the standard code that is\r\ncommon to all Go bins and focus on what is unique to the sample at hand. For IDA Pro users, see here; for r2\r\nusers, we can start by printing out a list of the functions flagged with sym._main .\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/\r\nPage 3 of 8\n\nIn Go binaries, the program code entrypoint is at main.main, and we can work our way through there to see what\r\nother functions, packages and modules are called. Below, we see that the main.main function calls out to another\r\ncustom package, orat_utils .\r\nThe orat_utils package contains several interesting functions and gives us an entry into understanding how the\r\nRAT works.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/\r\nPage 4 of 8\n\nOf particular interest is the LoadConfig function. This is used to parse a blob of data appended to the binary\r\nwhich turns out to be an encrypted malware configuration. The encrypted data at the end of the unpacked binary\r\noccupies 166 bytes and consists of the data, an AES key, and two bytes representing the entire blob size.\r\nOnce decrypted, the blob turns out to contain configuration data for the malware C2.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/\r\nPage 5 of 8\n\nAfter the malware decodes the config, it calls into sym._orat_cmd_agent.app and begins a number of loops\r\nthrough sys._orat_protocal.Dial . Depending on the config, it will call one of orat_protocol.DialTCP ,\r\norat_protocol.DialSTCP or orat_protocol.DialSUDP to establish a connection. The TCP protocols leverage\r\nsmux while the SUDP protocol leverages QUIC. The malware loops with a sleep cycle of 5 seconds as it waits for\r\na response.\r\nThe sym._orat_cmd_agent.app contains the primary RAT functionality of the malware and defines the following\r\nfunctions.\r\norat/cmd/agent/app.(*App).DownloadFile\r\norat/cmd/agent/app.(*App).Info\r\norat/cmd/agent/app.(*App).Join\r\norat/cmd/agent/app.(*App).KillSelf\r\norat/cmd/agent/app.(*App).NewNetConn\r\norat/cmd/agent/app.(*App).NewProxyConn\r\norat/cmd/agent/app.(*App).NewShellConn\r\norat/cmd/agent/app.(*App).Ping\r\norat/cmd/agent/app.(*App).PortScan\r\norat/cmd/agent/app.(*App).registerRouters\r\norat/cmd/agent/app.(*App).run\r\norat/cmd/agent/app.(*App).Screenshot\r\norat/cmd/agent/app.(*App).Serve\r\norat/cmd/agent/app.(*App).Unzip\r\norat/cmd/agent/app.(*App).UploadFile\r\norat/cmd/agent/app.(*App).Zip\r\nDetecting oRAT in the Enterprise\r\nThe SentinelOne agent detects the oRAT payload as malicious when it is written to disk, protecting SentinelOne\r\ncustomers from this threat.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/\r\nPage 6 of 8\n\nThe SentinelOne agent also detects the malware on execution.\r\nFor those not protected by the SentinelOne platform, security teams are advised to hunt for artifacts as listed in the\r\nIndicators of Compromise section at the end of this post.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/\r\nPage 7 of 8\n\nConclusion\r\nThe oRAT malware targets macOS users using a combination of custom-written code and public Golang repos.\r\nThe developers are clearly familiar with using sophisticated features of Go for networking and communications,\r\nbut due to the simplistic way the malware dropper was packaged, unsigned and with no observable install to\r\ndistract the victim, it would seem they are less experienced with the challenges of infecting Mac users.\r\nUnfortunately, other threat actors have provided plenty of examples from which this new player can learn, and\r\nsecurity teams should expect to see any future campaigns from this actor using more sophisticated droppers.\r\nIndicators of Compromise\r\nFilename SHA1\r\nbitget-0.0.7 (1).dmg 3f08dfafbf04a062e6231344f18a60d95e8bd010\r\nBitget Apps.pkg 9779aac8867c4c5ff5ce7b40180d939572a4ff55\r\npreinstall 911895ed27ee290bea47bca3e208f1b302e98648\r\ndarwinx64 (packed) 26ccf50a6c120cd7ad6b0d810aca509948c8cd78\r\ndarwinx64 (unpacked) 9b4717505d8d165b0b12c6e2b9cc4f58ee8095a6\r\nPaths\r\n/tmp/ darwinx64\r\nSource: https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/"
	],
	"report_names": [
		"from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win"
	],
	"threat_actors": [],
	"ts_created_at": 1775434356,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d7d4d8e5b349779b18056db1da247c859ef238c.pdf",
		"text": "https://archive.orkl.eu/9d7d4d8e5b349779b18056db1da247c859ef238c.txt",
		"img": "https://archive.orkl.eu/9d7d4d8e5b349779b18056db1da247c859ef238c.jpg"
	}
}