{
	"id": "4a9ae816-2407-4197-a060-8756adf0635d",
	"created_at": "2026-04-06T00:20:20.975543Z",
	"updated_at": "2026-04-10T03:21:04.496357Z",
	"deleted_at": null,
	"sha1_hash": "d6f72f772ba5544392d671192c8c39f101e47ad3",
	"title": "Windows App Runs on Mac, Downloads Infostealer, Adware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65847,
	"plain_text": "Windows App Runs on Mac, Downloads Infostealer, Adware\r\nBy Don Ovid Ladores, Luis Magisa ( words)\r\nPublished: 2019-02-11 · Archived: 2026-04-05 22:43:14 UTC\r\nUpdate as of 6:00 P.M. PST, May 3, 2019: Our continued observation of the malware sample showed that it spoofs\r\npopular Mac apps, instead of being included in the app installers themselves as previously reported. We made the\r\ncorrections in the technical analysis in this post. We would also like to thank Objective Development for clarifying\r\nthis issue.\r\nUpdate as of 5:00 P.M. PST, February 18, 2019: Further analysis on the sample indicated that it does not bypass the\r\nGatekeeper mechanism as previously reported. We made the necessary changes in the technical analysis in this post.\r\nWe would also like to thank Apple Product Security team for reaching out to us to clarify this issue.\r\nEXE is the official executable file format used for Windows to signify that they only run on Windows platforms, and to\r\nserve as a security feature. By default, attempting to run an EXE file on a Mac or Linux OS will only show an error\r\nnotification.\r\nHowever, we found EXE files in the wild delivering malicious payload on macOS recently. While no specific attack pattern\r\nis seen, our telemetry showed the highest numbers for infections to be in the United Kingdom, Australia, Armenia,\r\nLuxembourg, South Africa, and the United States.\r\nBehavior\r\nThe samples pose as installers of popular apps and are often available for download from various torrent websites. Examples\r\nof the applications they pose as are as follows:\r\nParagon_NTFS_for_Mac_OS_Sierra_Fully_Activated.zip\r\nWondershare_Filmora_924_Patched_Mac_OSX_X.zip\r\nLennarDigital_Sylenth1_VSTi_AU_v3_203_MAC_OSX.zip\r\nSylenth1_v331_Purple_Skin__Sound_Radix_32Lives_v109.zip\r\nTORRENTINSTANT.COM+-+Traktor_Pro_2_for_MAC_v321.zip\r\nLittle_Snitch_583_MAC_OS_X.zip\r\nWhen the downloaded .ZIP file is extracted, it contains a .DMG file hosting the supposed installer of the spoofed app.\r\nintel\r\nFigure 1. Sample of the malicious file\r\nintel\r\nFigure 2. Installer contained in the .DMG sample we analyzed posing as a legitimate application\r\nInspecting the installer contents, we found the unusual presence of the .EXE file bundled inside the app, verified to be a\r\nWindows executable responsible for the malicious payload.\r\nintel\r\nFigure 3. Suspicious .EXE bundled for Mac app installer\r\nWhen the installer is executed, the main file also launched the executable as it is enabled by the mono framework included\r\nin the bundle. This framework allows the execution of Microsoft .NET applications across platforms such as OSX.\r\nOnce run, the malware collects the following system information:\r\nModelName\r\nModelIdentifier\r\nProcessorSpeed\r\nProcessorDetails\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/\r\nPage 1 of 3\n\nNumberofProcessors\r\nNumberofCores\r\nMemory\r\nBootROMVersion\r\nSMCVersion\r\nSerialNumber\r\nUUID\r\nUnder the /Application directory, the malware also scans for all the basic and installed apps and sends all the information to\r\nthe C\u0026C server:\r\nApp Store.app\r\nAutomator.app\r\nCalculator.app\r\nCalendar.app\r\nChess.app\r\nContacts.app\r\nDVD Player.app\r\nDashboard.app\r\nFaceTime.app\r\nFont Book.app\r\nImage Capture.app\r\niTunes.app\r\nLaunchpad.app\r\nMail.app\r\nMaps.app\r\nMessages.app\r\nMission Control.app\r\nNotes.app\r\nPhoto Booth.app\r\nPhotos.app\r\nPreview.app\r\nQuickTime Player.app\r\nReminders.app\r\nSafari.app\r\nSiri.app\r\nStickies.app\r\nSystem Preferences.app\r\nTextEdit.app\r\nTime Machine.app\r\nUtilitiesiBooks.app\r\nIt downloads the following files from the Internet and saves it to the directory ~/Library/X2441139MAC/Temp/:\r\nhxxp://install.osxappdownload.com/download/mcwnet\r\nhxxp://reiteration-a.akamaihd.net/INSREZBHAZUIKGLAASDZFAHUYDWNBYTRWMFSOGZQNJYCAP/FlashPlayer.dmg\r\nhxxp://cdn.macapproduct.com/installer/macsearch.dmg\r\nintel\r\nFigure 4. Downloaded files saved in the directory\r\nThese .DMG files are mounted and executed as soon as they are ready, as well as displaying a PUA during execution.\r\nintel\r\nFigure 5. One of the adwares downloaded posing as a popular app\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/\r\nPage 2 of 3\n\nThis malware runs specifically to target Mac users. Attempting to run the sample in Windows displays an error notification.\r\nintel\r\nFigure 6. Error notification when installer is executed in Windows\r\nCurrently, running EXE on other platforms would have no impact on non-Windows systems such as MacOS. A mono\r\nframework installed in the system is required to compile or load these executables and libraries. In this case, however, the\r\nbundling of the said framework with the malicious files becomes a workaround to enable EXE files to run on Mac systems.\r\nAs for the native library differences between Windows and MacOS, the mono framework supports DLL mapping to support\r\nWindows-only dependencies to their MacOS counterparts. Overall, this technique may be done to overcome a malicious\r\nuser’s Objective-c coding limitations.\r\nConclusion\r\nWe suspect that this specific malware can be used for future inter-platform attacks, where a single executable can perform its\r\npayload on different operating systems. We believe that the cybercriminals are still studying the development and\r\nopportunities from this malware bundled in apps and available in torrent sites. We will continue investigating how\r\ncybercriminals can use this information and routine. Users should avoid or refrain from downloading files, programs, and\r\nsoftware from unverified sources and websites, and install a multi-layered protection for their individual and enterprise\r\nsystems.\r\nTrend Micro Solutions\r\nThe following Trend Micro products detect and block this threat:\r\nTrend Micro Antivirus for Macproducts\r\nTrend Micro Smart Protection Suitesproducts\r\nIndicators of Compromise\r\nMain Executables\r\nFile SHA256 Detection\r\nsetup.dmg c87d858c476f8fa9ac5b5f68c48dff8efe3cee4d24ab11aebeec7066b55cbc53 TrojanSpy.MacOS.\r\nInstaller.exe 932d6adbc6a2d8aa5ead5f7206511789276e24c37100283926bd2ce61e840045 TrojanSpy.Win32.W\r\nOSX64_MACSEARCH.MSGL517 58cba382d3e923e450321704eb9b09f4a6be008189a30c37eca8ed42f2fa77af Adware.MacOS.Ma\r\nchs2 3cbb3e61bf74726ec4c0d2b972dd063ff126b86d930f90f48f1308736cf4db3e Adware.MacOS.GE\r\nInstaller (2) e13c9ab5060061ad2e693f34279c1b1390e6977a404041178025373a7c7ed08a Adware.MacOS.GE\r\nmacsearch b31bf0da3ad7cbd92ec3e7cfe6501bea2508c3915827a70b27e9b47ffa89c52e Adware.MacOS.Ma\r\nC\u0026C server\r\nhxxp://54.164.144.252:10000/loadPE/getOffers.php\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/"
	],
	"report_names": [
		"windows-app-runs-on-mac-downloads-info-stealer-and-adware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434820,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6f72f772ba5544392d671192c8c39f101e47ad3.pdf",
		"text": "https://archive.orkl.eu/d6f72f772ba5544392d671192c8c39f101e47ad3.txt",
		"img": "https://archive.orkl.eu/d6f72f772ba5544392d671192c8c39f101e47ad3.jpg"
	}
}