{ "id": "bb4bfc4d-6dc9-4991-928e-9adccb665ffd", "created_at": "2026-04-06T00:11:58.32052Z", "updated_at": "2026-04-10T03:36:33.881979Z", "deleted_at": null, "sha1_hash": "e6f3c0119eb27367d5fdd913d4962e0e7beeda03", "title": "BlueNoroff: new Trojan attacking macOS users", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1005169, "plain_text": "BlueNoroff: new Trojan attacking macOS users\r\nBy Sergey Puzan\r\nPublished: 2023-12-05 · Archived: 2026-04-05 20:19:10 UTC\r\nMalware descriptions\r\nMalware descriptions\r\n05 Dec 2023\r\n 3 minute read\r\nhttps://securelist.com/bluenoroff-new-macos-malware/111290/\r\nPage 1 of 9\n\nWe recently discovered a new variety of malicious loader that targets macOS, presumably linked to the\r\nBlueNoroff APT gang and its ongoing campaign known as RustBucket. The threat actor is known to attack\r\nfinancial organizations, particularly companies, whose activity is in any way related to cryptocurrency, as well as\r\nindividuals who hold crypto assets or take an interest in the subject. Information about the new loader variant first\r\nappeared in an X (formerly Twitter) post.\r\nOriginal X (formerly Twitter) post about the new loader\r\nEarlier RustBucket versions spread its malicious payload via an app disguised as a PDF viewer. By contrast, this\r\nnew variety was found inside a ZIP archive that contained a PDF file named, “Crypto-assets and their risks for\r\nfinancial stability”, with a thumbnail that showed a corresponding title page. The metadata preserved inside the\r\nZIP archive suggests the app was created on October 21, 2023.\r\nhttps://securelist.com/bluenoroff-new-macos-malware/111290/\r\nPage 2 of 9\n\nApp structure\r\nDocument thumbnail\r\nExactly how the archive spread is unknown. The cybercriminals might have emailed it to targets as they did with\r\npast campaigns.\r\nThe app had a valid signature when it was discovered, but the certificate has since been revoked.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nSignature #1: Valid\r\n    Chain   #1:\r\n      Verified:           True\r\n      Serial:               6210670360873047962\r\n      Issuer:              CN=Developer ID Certification Authority,OU=Apple Certification\r\nAuthority,O=Apple Inc.,C=US\r\n      Validity:            from = 20.10.2023 3:11:55\r\n                                 to = 01.02.2027 22:12:15\r\nhttps://securelist.com/bluenoroff-new-macos-malware/111290/\r\nPage 3 of 9\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n      Subject:            UID=2C4CB2P247,CN=Developer ID Application: Northwest Tech-Con Systems\r\nLtd (2C4CB2P247),OU=2C4CB2P247,O=Northwest Tech-Con Systems Ltd,C=CA\r\n      SHA-1 Fingerprint:   da96876f9535e3946aff3875c5e5c05e48ecb49c\r\n      Verified:          True\r\n      Serial:              1763908746353189132\r\n      Issuer:             C=US,O=Apple Inc.,OU=Apple Certification Authority,CN=Apple Root CA\r\n      Validity:            from = 01.02.2012 22:12:15\r\n                                 to = 01.02.2027 22:12:15\r\n      Subject:             CN=Developer ID Certification Authority,OU=Apple Certification\r\nAuthority,O=Apple Inc.,C=US\r\n      SHA-1 Fingerprint:   3b166c3b7dc4b751c9fe2afab9135641e388e186\r\n      Verified:            True (self-signed)\r\n      Serial:                2\r\n      Issuer:               C=US,O=Apple Inc.,OU=Apple Certification Authority,CN=Apple Root CA\r\n      Validity:            from = 25.04.2006 21:40:36\r\n                                 to = 09.02.2035 21:40:36\r\n      Subject:             C=US,O=Apple Inc.,OU=Apple Certification Authority,CN=Apple Root CA\r\n      SHA-1 Fingerprint:   611e5b662c593a08ff58d14ae22452d198df6c60\r\nApp signature details\r\nWritten in Swift and named “EdoneViewer”, the executable is a universal format file that contains versions for\r\nboth Intel and Apple Silicon chips. Decryption of the XOR-encrypted payload is handled by the main function,\r\nCalculateExtameGCD. While the decryption process is running, the app puts out unrelated messages to the\r\nterminal to try and lull the analyst’s vigilance.\r\nThe decrypted payload has the AppleScript format:\r\nhttps://securelist.com/bluenoroff-new-macos-malware/111290/\r\nPage 4 of 9\n\nAppleScript code executed after the payload is deciphered\r\nThe script assembles and runs the following shell command:\r\nShell command\r\nOnce assembled, the shell command goes through the following steps:\r\nDownloads a PDF file, save it at /Users/Shared/Crypto-assets and their risks for financial stability.pdf, and\r\nopens it. This is a benign file launched as a diversion.\r\nhttps://securelist.com/bluenoroff-new-macos-malware/111290/\r\nPage 5 of 9\n\nTitle page of the PDF decoy\r\nSends a POST request to the server and saves the response to a hidden file named “.pw” and located at\r\n/Users/Shared/.\r\nGrants permissions to the file and executes it with the C\u0026C address as an argument.\r\nThe C\u0026C server is hosted at hxxp://on-global[.]xyz, a domain name registered fairly recently, on October 20,\r\n2023. We were unable to find any links between the domain and any other files or threats.\r\nThe .pw file is a Trojan we detected back in August. Like the loader, this is a universal format file:\r\nDetails of the .pw file\r\nThe file collects and sends the following system information to the C\u0026C:\r\nComputer name\r\nOS version\r\nTime zone\r\nDevice startup date\r\nOS installation date\r\nCurrent time\r\nList of running processes\r\nThe data is collected and forwarded in cycles every minute. The Trojan expects one of the following three\r\ncommands in response:\r\nCommand # Description\r\n0x0 Save response to file and run\r\n0x1 Delete local copy and shut down\r\nAny other number Keep waiting for command\r\nAfter receiving a 0x0 command, the program saves data sent with the command to the shared file named “.pld”\r\nand located at /Users/Shared/, gives it the read/write/run permissions and executes it:\r\nhttps://securelist.com/bluenoroff-new-macos-malware/111290/\r\nPage 6 of 9\n\nCode snippet that writes and runs the downloaded file\r\nUnfortunately, we did not receive a single command from the server during our analysis, so we were unable to\r\nfind out the content of the following attack stage. The Trojan can now be detected by most anti-malware solutions:\r\nhttps://securelist.com/bluenoroff-new-macos-malware/111290/\r\nPage 7 of 9\n\nDetails of the second download as posted on VirusTotal\r\nIndicators of compromise\r\nFiles\r\nLinks\r\nhttps://securelist.com/bluenoroff-new-macos-malware/111290/\r\nPage 8 of 9\n\nLatest Posts\r\nLatest Webinars\r\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/bluenoroff-new-macos-malware/111290/\r\nhttps://securelist.com/bluenoroff-new-macos-malware/111290/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/bluenoroff-new-macos-malware/111290/" ], "report_names": [ "111290" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434318, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6f3c0119eb27367d5fdd913d4962e0e7beeda03.pdf", "text": "https://archive.orkl.eu/e6f3c0119eb27367d5fdd913d4962e0e7beeda03.txt", "img": "https://archive.orkl.eu/e6f3c0119eb27367d5fdd913d4962e0e7beeda03.jpg" } }