{
	"id": "060d6f39-026e-4924-a837-bee9a0f41182",
	"created_at": "2026-04-06T00:06:18.643192Z",
	"updated_at": "2026-04-10T03:28:31.541725Z",
	"deleted_at": null,
	"sha1_hash": "bffac2fd9005c8bd419734471747ba113f016ffa",
	"title": "Lazarus’ MacOS Dacls RAT Shows Multi-Platform Ability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80170,
	"plain_text": "Lazarus’ MacOS Dacls RAT Shows Multi-Platform Ability\r\nPublished: 2020-05-11 · Archived: 2026-04-05 14:48:36 UTC\r\nA one-time password (OTP) system involves the use of a generated password that can only be used once to log in and access\r\nspecific online services. Often managed by a third-party provider, this rolling password system aims to reduce unauthorized\r\nintrusions to systems via compromised accounts.\r\nWe found an application sample in April called TinkaOTP that seemed like a normal OTP authentication tool. However,\r\nfurther investigation showed the application bearing a striking resemblance to Dacls remote access trojan (RAT), a Windows\r\nand Linux backdoor that 360 Netlab discovered in December 2019. The strings that the trojan’s command and control\r\n(C\u0026C) server uses to communicate with the storage samples links it to previous deployments by the cybercriminal group\r\nLazarus.\r\nThe Lazarus link\r\nAfter running the TinkaOTP application, the sample appeared as a Disk iMaGe (DMG) application bundle meant to be\r\nmounted and run. Launching the app initially didn’t reveal any suspicious behavior, but it dropped a hidden file\r\n~/Library/.mina in the Library folder, along with a LaunchDaemon /Library/LaunchDaemons/com.aex-loop.agent.plist set to\r\nrun the hidden file on startup.\r\nFigure 1. TinkaOTP dropping a hidden file\r\nAnother comparison showed that the main mach-o executable of the bundle —/Contents/MacOS/TinkaOTP — was a\r\nrepackaged version of another OTP tool called MinaOTP, an open-source authentication tool available at GitHub.\r\nFigure 2. TinkaOTP (left) and MinaOTP (right, image taken from GitHub)\r\nFigure 3. Disassembly of TinkaOTP’s main executable showed direct references to MinaOTP modules, as well as the shell\r\ncommand for copying the malicious hidden file\r\nTracing the origin of the hidden .mina file showed that it is a copy of an included resource, renamed SubMenu.nib, from the\r\napplication bundle and where the main backdoor functions were contained. It also has the same links to Lazarus’ Windows\r\nand Linux predecessors: the presence of the hardcoded strings c_2910.cls and k_3872.cls. Both strings were previously used\r\nduring C\u0026C communication to the domain thevagabondsatchel[.]com as the sample storage of the cybercriminal group, as\r\nreported by 360 Netlab researchers.\r\nFigure 4. Strings used to communicate with the C\u0026C\r\nFigure 5. Same HTTP Post message format as Windows and Linux backdoor discovered\r\nWe also found another variant with an executable that drops the main backdoor payload. The SubMenu.nib is nowhere to be\r\nfound, but it downloads the payload from a hardcoded address and extracts it into the hidden payload to be run. A look into\r\nthe address, loneeaglerecords[.]com, revealed that the domain has been registered and existing for 11 years, but the issued\r\nHTTPS certificate is fairly recent. The domain is assigned to 50[.]87[.]144[.]227, an IP investigated to have hosted different\r\nkinds of Windows malware such as ADWIND and URSNIF. Despite the differences, the hidden payload downloaded is the\r\nsame in both variants.\r\nFigure 6. Payload address of another variant\r\nThe group appeared to have made this version as a quick follow-up to the Windows/Linux Dacls RAT variants. This was\r\nconfirmed by matching the latest IP assignment and HTTP certificate from the download address of the new variant.\r\nBackdoor and persistence routines\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/\r\nPage 1 of 5\n\nThe backdoor installation sequence shows that it’s meant for persistence via /LaunchAgents/com.aex-loop.agent.plist and\r\n/Library/LaunchDaemons/com.aex-loop.agent.plist. It initiates the configuration file /Library/Caches/com.applestore.db to\r\nset the C\u0026C server IP and for remote session information. Loading the bot plugins, this enables connection to the server to\r\nopen and wait for commands, update the configuration file based on the commands received, and encrypt the file via AES\r\nCBC. If the configuration file already exists, it will decrypt once a new session starts.\r\nFigure 7. Related code disassembly for persistence\r\nOnce installed, it checks if an existing configuration file exists. If not, it creates a config file and writes data related to the\r\nsetup such as C\u0026C server addresses and other C\u0026C session information. The initial C\u0026C server IPs — 67[.]43[.]239[.]146\r\nand 185[.]62[.]58[.]207 — the bot connects to are hardcoded in the backdoor file and written to the config file. The config\r\nfile will then be dropped as /Library/Caches/com.applestore.db and encrypted. Once completed, the backdoor proceeds to\r\nload the plugins responsible for specific functions.\r\nFigure 8. Initial server IPs written on the config file. The file may have the IPs rewritten to an updated IP address of a new\r\nserver.\r\nFigure 9. Dropping the config file and encrypting with AES CBC\r\nA look into the server IPs also showed that the domain hosts legitimate traffic; blocking the said domains may have side\r\neffects for other sites.\r\nAttack routines upon infection\r\nDuring the initial analysis of the disassembled codes, the strings used to load the IPs and plugins appear to be missing\r\ncharacters. However, a closer inspection of the first characters showed that these strings were intentionally separated —\r\nlikely an effort to evade detection.\r\nFigure 10. Evading detection\r\nAfter receiving a response from the server, it will check the headers to determine the plugins to run, with each plugin\r\ntemplated to load their respective functions on initialization. Comparing the plugins used for MacOS and its Windows/Linux\r\nvariants showed some differences and additional capabilities.\r\nFigure 11. Scanning headers\r\nPlugin Name String Functions\r\nPlugin_CMD /bin/bash\r\n·         Execute received commands\r\n·         Capability of Reverse Shell\r\nPlugin_FILE plugin_file\r\n·         Scan directories\r\n·         Download files\r\n·         Open, write, and delete\r\nPlugin_PROCESS plugin_process\r\n·         Collect data on running processes\r\n·         Create process\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/\r\nPage 2 of 5\n\n·         Terminate process\r\nPlugin_TEST plugin_test ·         Check network access to specified address issued by server\r\nPlugin_RP2Pv plugin_reverse_p2p ·         Setup network proxy between bot and server\r\nPlugin_LOGSEND logsend\r\n·         Connect to log server\r\n·         Scan system\r\n·         Send collected logs\r\nPLUGIN_SOCKS plugin_socks ·         Start Socks4 Thread to setup SSL connection\r\nTable 1. Plugin templates and functions\r\nThe bash/cmd plugin is used for executing shell commands in the form of appending them as a bash script and then running\r\nit on the terminal. Based on the arguments set in the packet received, it also has the capability to run a reverse shell.\r\nFigure 12. The bash/cmd plugin\r\nThe file plugin runs the same functions as the Windows and Linux variants: it can read, write, delete, and download files, as\r\nwell as scan a directory for a specific file.\r\nFigure 13. The file plugin\r\nLooking into the arguments shows that the process plugin comes from the received packet to execute functions such as\r\ncollecting process information, running a new process, and terminating a running one. The process information collected\r\nincludes the username, user ID, group ID, and process parent ID of the target process.\r\nWhereas the other plugins may directly call and execute for the arguments’ function passed by the server, the process plugin\r\ndiffers in that the server indirectly calls the function from the plugin itself; the location of the process plugin functions’\r\naddresses are first called prior to the execution.\r\nFigure 14. The process plugin\r\nFigure 15. Process plugin formatting the collected information before sending\r\nThe test plugin attempts to connect to a provided address to check access to the network. Meanwhile, the reverse P2P plugin\r\ncreates a proxy server to bridge the C\u0026C and the client. This creates another connection to another C\u0026C specified in the\r\ncommands to act as a proxy, redirecting traffic from the infected machine to the real C\u0026C server.\r\nFigure 16. The test plugin\r\nFigure 17. The reverse P2P plugin\r\nThe logsend plugin collects system information by scanning the system using function start_scan_worm and send data to the\r\nlog server specified. Meanwhile, the socks plugin creates a connection via socks4 for Secure Sockets Layer-related (SSL)\r\ntransactions. This plugin was not observed in the Windows/Linux variants.\r\nFigure 18. The logsend plugin\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/\r\nPage 3 of 5\n\nFigure 19. The socks plugin\r\nConclusion\r\nThe discovery of the Windows/Linux variants and analysis of this routine has shown Lazarus’ range of expertise. As\r\nmentioned in a previous Lazarus discovery involving MacOS, this shift in focus towards attacking multiple operating\r\nsystems indicate an expansion of targets. It also shows that they’re experimenting for future-related cases, highlighted by the\r\nadditional plugin that has not been observed in similar routines.\r\nTo note, shortly after our first discovery of Lazarus’ interest in MacOS in 2019 via poisoned spreadsheets, the group was\r\nable to follow up with fileless AppleJeus, showing a rapid development in research. Related to this routine, the dropper from\r\nthe first variant’s only implemented evasion method was the use of copying the payload into a hidden file; the second variant\r\nimproved on this by downloading the payload instead. While considerably not as sophisticated yet, given how the AppleJeus\r\nmalware quickly followed with a fileless version, we could expect the group to deploy a similar execution of this routine\r\nsoon.\r\nWe also suspect that the group may be targeting specific users for bot distribution, taking advantage of users’ needs for\r\nlayered security. OTP authentication tools have also been used to manage cryptocurrency wallets and exchanges, another\r\ncommon target for fraud by the cybercriminal group. The group might also be expanding to mobile platforms. Considering\r\nthat the original MinaOTP source contains a separate project called MinaOTP-iOS, the group might be planning to rebuild a\r\nrepurposed version of this for mobile. We will continue monitoring Lazarus deployments and activities.\r\nTo protect systems from this type of threat, users should only download apps from official and legitimate marketplaces.\r\nUsers can also consider multilayered security solutions such as Trend Micro Antivirus for Mac, which provides\r\ncomprehensive security and multi-device protection against cyberthreats.\r\nEnterprises can take advantage of Trend Micro’s Smart Protection Suites with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity or\r\nendpoint.  \r\nIndicators of Compromise (IOCs)\r\nSHA256 Filename Detection\r\n846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6 /Contents/Resources/Base.lproj/SubMenu.nib Backdoor.Ma\r\nd3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd\r\nTinkaOTP.dmg Backdoor.Ma\r\ne5b842784cc3e9bc0376915d2d823c3e4e076d29b5fb98ea69ff9a56b0f4a54a\r\n216a83e54cac48a75b7e071d0262d98739c840fd8cd6d0b48a9c166b69acd57d\r\n7e8a086319a218732dde5a749afdd9813d3047eaeef511e0374ca64fd8d0d033\r\n899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53\r\nfea0bd961d8d72642a3e1cb92b6ac084a9680eaef816ad414e282f6ea87d52c6 TinkaOTP.app Backdoor.Ma\r\n7b8792025aacff5dacb3a9121ec2f5bfa33d5932d1f43b9ad0d518c55c6e1298\r\n/Contents/MacOS/TinkaOTP Backdoor.Ma\r\n90fbc26c65e4aa285a3f7ee6ff8a3a4318a8961ebca71d47f51ef0b4b7829fd0\r\nURL\r\nhttps[://]loneeaglerecords[.]com/wp-content/uploads/2020/01/images[.]tgz.001              Malware accomplice  \r\nMITRE ATT\u0026CK Framework\r\nThose highlighted in yellow are characteristics observed during analysis, while those in green are possible actions based on\r\nobserved C\u0026C server commands. MITRE_framework_Lazarus_Dacls_RAT_backdoor_MacOS\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/\r\nPage 4 of 5\n\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/"
	],
	"report_names": [
		"new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability"
	],
	"threat_actors": [
		{
			"id": "544ecd2c-82c9-417c-9d98-d1ae395df964",
			"created_at": "2025-10-29T02:00:52.035025Z",
			"updated_at": "2026-04-10T02:00:05.408558Z",
			"deleted_at": null,
			"main_name": "AppleJeus",
			"aliases": [
				"AppleJeus",
				"Gleaming Pisces",
				"Citrine Sleet",
				"UNC1720",
				"UNC4736"
			],
			"source_name": "MITRE:AppleJeus",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775433978,
	"ts_updated_at": 1775791711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bffac2fd9005c8bd419734471747ba113f016ffa.pdf",
		"text": "https://archive.orkl.eu/bffac2fd9005c8bd419734471747ba113f016ffa.txt",
		"img": "https://archive.orkl.eu/bffac2fd9005c8bd419734471747ba113f016ffa.jpg"
	}
}