{ "id": "b7a66cb1-f48a-4bce-a578-fc5ca11104bd", "created_at": "2026-04-06T00:18:48.896895Z", "updated_at": "2026-04-10T03:37:49.878896Z", "deleted_at": null, "sha1_hash": "cf786c3aaf5e14fddba2054cbfdcab65b9736c29", "title": "Komplex Mac backdoor answers old questions | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 879175, "plain_text": "Komplex Mac backdoor answers old questions | Malwarebytes\r\nLabs\r\nBy Thomas Reed\r\nPublished: 2016-09-26 · Archived: 2026-04-05 19:08:29 UTC\r\nA new piece of Mac malware, dubbed Komplex, has been discovered by Palo Alto Networks. This malware\r\nprovides a backdoor into the system, like most other recent Mac malware. Where it gets most interesting, though,\r\nisn’t in its capabilities, but in the connections it allows us to make.\r\nThe implementation of Komplex is actually anything but complex. The end product of infection is nothing more\r\nthan a launch agent masquerading as an Apple updater and a hidden executable that is kept running by that launch\r\nagent. Trivial in execution, trivial to detect, and trivial to remove.\r\nThe details of how the malware gets installed are still partly unknown. Palo Alto provided information about three\r\ndifferent “binder” files, which are executable files that begin the process of installing the malware. What’s not\r\nsaid, however, is how these files get executed on the user’s system.\r\nThose “binders” perform two tasks. The first is to install and run another executable at /tmp/content. The second is\r\nto create a PDF file – containing information about the Russian Federal Space Program – in the Downloads folder\r\nand open it. This is common behavior among Trojan apps that masquerade as some kind of document; they\r\ntypically will create and open a decoy document, in an attempt to prevent the user from noticing that anything\r\nstrange happened.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/\r\nPage 1 of 2\n\n(I’ve seen a few people under the impression that this is a PDF exploit, but there’s no indication that this is the\r\ncase at this time.)\r\nThe executable at /tmp/content is the “dropper” that actually installs the malicious payload. That payload consists\r\nof the following files:\r\n/Users/Shared/.local/kextd /Users/Shared/start.sh ~/Library/LaunchAgents/com.apple.updates.plist\r\nThe start.sh file is used to load the launch agent, which in turn ensures that the kextd process is kept running\r\npersistently.\r\nAfter the installation is complete, the original “binder,” the /tmp/content file and the start.sh file are all deleted.\r\nIn all, this is just more of the same old Mac malware. It doesn’t even have quite the same level of backdoor\r\ncapabilities as most of the new backdoors that have appeared this year. However, what makes this interesting is\r\nthe connections it allows us to make with other malware.\r\nPalo Alto makes a connection between this malware and other malware created by the Sofacy Group, an\r\norganization that is known to target governments. Sofacy appears to be a Russian group, possibly funded by the\r\nRussian government, and are considered to be involved in the recent Democratic National Committee hacking.\r\nThat’s interesting, but perhaps more fascinating to Mac security folks is an additional connection made with an\r\nunnamed piece of malware discovered last year, which installed via a vulnerability in the MacKeeper app. Little\r\nwas known about the malware beyond what BAE Systems published.\r\nNow we seem to have the answer to the question of what that malware was. Palo Alto Networks identified a\r\nnumber of compelling code similarities between Komplex and that unnamed malware. Not only does this put a\r\nname to that old malware, but it also shows that Sofacy has had their eyes on the Mac for some time now.\r\nInterestingly, although the method of infection has changed, not much seems to have changed about the payload,\r\nwhich was also a launch agent tasked with loading an executable file from the /Users/Shared folder.\r\nMalwarebytes Anti-Malware for Mac detects the dropped components as OSX.Komplex.\r\nAbout the author\r\nHad a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/" ], "report_names": [ "komplex-mac-backdoor-answers-old-questions" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434728, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cf786c3aaf5e14fddba2054cbfdcab65b9736c29.pdf", "text": "https://archive.orkl.eu/cf786c3aaf5e14fddba2054cbfdcab65b9736c29.txt", "img": "https://archive.orkl.eu/cf786c3aaf5e14fddba2054cbfdcab65b9736c29.jpg" } }