{
	"id": "080c70d9-099b-406c-8541-e10a238fa1e5",
	"created_at": "2026-04-06T00:12:08.368006Z",
	"updated_at": "2026-04-10T03:34:43.882084Z",
	"deleted_at": null,
	"sha1_hash": "a6605e3ec3b957de5d6a5c21605c2201f60bae39",
	"title": "Calisto Trojan for macOS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 547497,
	"plain_text": "Calisto Trojan for macOS\r\nBy Mikhail Kuzin\r\nPublished: 2018-07-20 · Archived: 2026-04-02 12:30:51 UTC\r\nAn interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the\r\ncreators gradually add new monetization or entrenchment techniques. Also of interest are developmental\r\nprototypes that have had limited distribution or not even occurred in the wild. We recently came across one such\r\nsample: a macOS backdoor that we named Calisto.\r\nThe malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two\r\nwhole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT\r\nappearing only recently.\r\nMalware for macOS is not that common, and this sample was found to contain some suspiciously familiar\r\nfeatures. So we decided to unpick Calisto to see what it is and why its development was stopped (or was it?).\r\nPropagation\r\nhttps://securelist.com/calisto-trojan-for-macos/86543/\r\nPage 1 of 9\n\nWe have no reliable information about how the backdoor was distributed. The Calisto installation file is an\r\nunsigned DMG image under the guise of Intego’s security solution for Mac. Interestingly, Calisto’s authors chose\r\nthe ninth version of the program as a cover which is still relevant.\r\nFor illustrative purposes, let’s compare the malware file with the version of Mac Internet Security X9 downloaded\r\nfrom the official site.\r\nIt looks fairly convincing. The user is unlikely to notice the difference, especially if he has not used the app\r\nbefore.\r\nInstallation\r\nAs soon as it starts, the application presents us with a sham license agreement. The text differs slightly from the\r\nIntego’s one — perhaps the cybercriminals took it from an earlier version of the product.\r\nNext, the “antivirus” asks for the user’s login and password, which is completely normal when installing a\r\nprogram able to make changes to the system on macOS.\r\nhttps://securelist.com/calisto-trojan-for-macos/86543/\r\nPage 2 of 9\n\nBut after receiving the credentials, the program hangs slightly before reporting that an error has occurred and\r\nadvising the user to download a new installation package from the official site of the antivirus developer.\r\nThe technique is simple, but effective. The official version of the program will likely be installed with no\r\nproblems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on\r\nwith its mission.\r\nAnalysis of the Trojan\r\nWith SIP enabled\r\nCalisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by\r\nApple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from\r\nbeing modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems\r\nthat its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for\r\nvarious reasons; we categorically advise against doing so.\r\nCalisto’s activity can be investigated using its child processes log and decompiled code:\r\nhttps://securelist.com/calisto-trojan-for-macos/86543/\r\nPage 3 of 9\n\nLog of commands executed by the Trojan during its operation\r\nHardcoded commands inside the Calisto sample\r\nWe can see that the Trojan uses a hidden directory named .calisto to store:\r\nKeychain storage data\r\nData extracted from the user login/password window\r\nInformation about the network connection\r\nData from Google Chrome: history, bookmarks, cookies\r\nRecall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari. The encryption\r\nkey for the storage is the user’s password.\r\nNext, if SIP is enabled, an error occurs when the Trojan attempts to modify system files. This violates the\r\noperational logic of the Trojan, causing it to stop.\r\nError message\r\nhttps://securelist.com/calisto-trojan-for-macos/86543/\r\nPage 4 of 9\n\nWith SIP disabled/not available\r\nObserving Calisto with SIP disabled is far more interesting. To begin with, Calisto executes the steps from the\r\nprevious chapter, but as the Trojan is not interrupted by SIP, it then:\r\nCopies itself to /System/Library/ folder\r\nSets itself to launch automatically on startup\r\nUnmounts and uninstalls its DMG image\r\nAdds itself to Accessibility\r\nHarvests additional information about the system\r\nEnables remote access to the system\r\nForwards the harvested data to a C\u0026C server\r\nLet’s take a closer look at the malware’s implementation mechanisms.\r\nAdding itself to startup is a classic technique for macOS, and is done by creating a .plist file in the\r\n/Library/LaunchAgents/ folder with a link to the malware:\r\nThe DMG image is unmounted and uninstalled via the following command:\r\nTo extend its capabilities, Calisto adds itself to Accessibility by directly modifying the TCC.db file, which is bad\r\npractice and an indicator of malicious activity for the antivirus. On the other hand, this method does not require\r\nuser interaction.\r\nhttps://securelist.com/calisto-trojan-for-macos/86543/\r\nPage 5 of 9\n\nAn important feature of Calisto is getting remote access to the user system. To provide this, it:\r\nEnables remote login\r\nEnables screen sharing\r\nConfigures remote login permissions for the user\r\nAllows remote login to all\r\nEnables a hidden “root” account in macOS and sets the password specified in the Trojan code\r\nThe commands used for this are:\r\nNote that although the user “root” exists in macOS, it is disabled by default. Interestingly, after a reboot, Calisto\r\nagain requests user data, but this time waits for the input of the actual root password, which it previously changed\r\nitself (root: aGNOStIC7890!!!). This is one indication of the Trojan’s rawness.\r\nhttps://securelist.com/calisto-trojan-for-macos/86543/\r\nPage 6 of 9\n\nAt the end, Calisto attempts to transfer all data from the .calisto folder to the cybercriminals’ server. But at the\r\ntime of our research, the server was no longer responding to requests and seemed to be disabled:\r\nAttempt to contact the C\u0026C server\r\nStatic analysis of Calisto revealed unfinished and unused additional functionality:\r\nLoading/unloading of kernel extensions for handling USB devices\r\nData theft from user directories\r\nSelf-destruction together with the OS\r\nLoading/unloading of kernel extensions\r\nhttps://securelist.com/calisto-trojan-for-macos/86543/\r\nPage 7 of 9\n\nWorking with user directories\r\nSelf-destruction together with the entire system\r\nConnections with Backdoor.OSX.Proton\r\nConceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:\r\nThe distribution method is similar: it masquerades as a well-known antivirus (a Backdoor.OSX.Proton was\r\npreviously distributed under the guise of a Symantec antivirus product)\r\nThe Trojan sample contains the line “com.proton.calisto.plist”\r\nLike Backdoor.OSX.Proton, this Trojan is able to steal a great amount of personal data from the user\r\nsystem, including the contents of Keychain\r\nRecall that all known members of the Proton malware family were distributed and discovered in 2017. The Calisto\r\nTrojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it\r\ncould well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is\r\nsupported by the large number of unused and not fully implemented functions. However, they were missing from\r\nlater versions of Proton.\r\nTo protect against Calisto, Proton, and their analogues:\r\nAlways update to the current version of the OS\r\nNever disable SIP\r\nRun only signed software downloaded from trusted sources, such as the App Store\r\nUse antivirus software\r\nMD5\r\nhttps://securelist.com/calisto-trojan-for-macos/86543/\r\nPage 8 of 9\n\nDMG image: d7ac1b8113c94567be4a26d214964119\r\nMach-O executable: 2f38b201f6b368d587323a1bec516e5d\r\nSource: https://securelist.com/calisto-trojan-for-macos/86543/\r\nhttps://securelist.com/calisto-trojan-for-macos/86543/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://securelist.com/calisto-trojan-for-macos/86543/"
	],
	"report_names": [
		"86543"
	],
	"threat_actors": [
		{
			"id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada",
			"created_at": "2022-10-25T16:07:23.477794Z",
			"updated_at": "2026-04-10T02:00:04.625004Z",
			"deleted_at": null,
			"main_name": "Cold River",
			"aliases": [
				"Blue Callisto",
				"BlueCharlie",
				"Calisto",
				"Cobalt Edgewater",
				"Gossamer Bear",
				"Grey Pro",
				"IRON FRONTIER",
				"Mythic Ursa",
				"Nahr Elbard",
				"Nahr el bared",
				"Seaborgium",
				"Star Blizzard",
				"TA446",
				"TAG-53",
				"UNC4057"
			],
			"source_name": "ETDA:Cold River",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"DNSpionage",
				"LOSTKEYS",
				"SPICA"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a057a97-db21-4261-804b-4b071a03c124",
			"created_at": "2024-06-04T02:03:07.953282Z",
			"updated_at": "2026-04-10T02:00:03.813595Z",
			"deleted_at": null,
			"main_name": "IRON FRONTIER",
			"aliases": [
				"Blue Callisto ",
				"BlueCharlie ",
				"CALISTO ",
				"COLDRIVER ",
				"Callisto Group ",
				"GOSSAMER BEAR ",
				"SEABORGIUM ",
				"Star Blizzard ",
				"TA446 "
			],
			"source_name": "Secureworks:IRON FRONTIER",
			"tools": [
				"Evilginx2",
				"Galileo RCS",
				"SPICA"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434328,
	"ts_updated_at": 1775792083,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a6605e3ec3b957de5d6a5c21605c2201f60bae39.pdf",
		"text": "https://archive.orkl.eu/a6605e3ec3b957de5d6a5c21605c2201f60bae39.txt",
		"img": "https://archive.orkl.eu/a6605e3ec3b957de5d6a5c21605c2201f60bae39.jpg"
	}
}