{ "id": "8a1dc55b-039a-48f2-9883-5e19e89406f0", "created_at": "2026-04-06T00:19:19.369821Z", "updated_at": "2026-04-10T03:36:21.994387Z", "deleted_at": null, "sha1_hash": "f23ee1269cb8c01631ac7b978beac8aff6d5bff7", "title": "APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5979784, "plain_text": "APT32 Multi-stage macOS Trojan Innovates on Crimeware\r\nScripting Technique - SentinelLabs\r\nBy Phil Stokes\r\nPublished: 2020-12-02 · Archived: 2026-04-05 18:45:39 UTC\r\nIn the same week as Microsoft disclosed the Vietnamese-linked APT32 (aka “OceanLotus”, “Bismuth”,\r\n“SeaLotus”) group deploying Cryptominer software like a common crimeware adversary, researchers at Trend\r\nMicro released details of an update to an APT32 macOS backdoor that also appears to have been taking lessons\r\nfrom commodity malware authors. The backdoor uses a novel method of delivery that echoes other threat actor\r\ntechniques as well as adds some interesting new behaviour. In this post, we’ll review some of the details in the\r\nearlier report but also add some new IoCs and observations that have not yet been mentioned.\r\nDisguised App Bundle Used for Delivery\r\nThe malware is delivered as an application disguised as an MS Office Word doc.\r\nThe previous research noted that the malware deploys a novel trick to prevent MS Office attempting to launch the\r\ndisguised app as a doc by embedding a unicode character in the file name. This causes launch services to call\r\n“open” on the file rather than the default program for “.doc”.\r\nhttps://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\r\nPage 1 of 9\n\nOn launch, the malware switches out the malicious application bundle for an actual MS Office doc: the same file\r\nname is used but now minus the hidden Unicode character. After the bait and switch, this doc is launched and\r\npresented to the user.\r\nThe whole trick is invisible to the user, who only sees a document appearing with the same name as the one they\r\ndouble-clicked on. Meanwhile, the second stage payload has been deposited in the /tmp folder and begins its run\r\nto install a hidden persistence agent and the third stage malicious executable.\r\nShell Executable Contains Base64-encoded Mach-O\r\nThat trick is accompanied by the borrowing of a technique that has become popular among commodity adware\r\nand malware distributors; namely, using a shell script both as the main executable inside the app bundle and also\r\nas a vehicle to drop an embedded base64-encoded payload.\r\nhttps://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\r\nPage 2 of 9\n\nNote line 4, which defines a variable with around 850Kb of base64-encoded data. At line 40, that data is piped\r\nthrough the base64 utility for decoding, dropped in a subfolder in the /tmp directory, given executable\r\npermissions via chmod , and then launched as the 2nd stage payload.\r\nImportantly, prior to line 40, the script takes measures to deal with two macOS security features: App\r\nTranslocation and file quarantine. The former was a security feature brought in by Apple to prevent executables\r\naccessing external resources via relative paths and bypassing Gatekeeper checks. However, like Gatekeeper itself,\r\nApp Translocation relies on the executable being tagged with the com.apple.quarantine bit.\r\nIn this case, the script agressively attempts to remove all quarantine bits and, in the event any of those fail and the\r\nmalware finds itself translocated to a read-only filepath, it then undertakes a hunt for the original downloaded file\r\nvia its MD5 hash and attempts to execute it from its non-translocated path on disk.\r\nSecond Stage Payload’s Hidden Persistence Mechanism\r\nThe second stage payload, once dumped from the encoded base64, is a universal FAT binary containing Mach-Os\r\nfor i386 and x86_64 architectures. The source code was written in C++.\r\nAs earlier research pointed out, this stage is responsible for dropping a persistence agent with the label of\r\n“com.apple.marcoagent.voiceinstallerd” and its program argument, “mount_devfs”.\r\nHowever, we also note that this stage has code for testing the UID and determining whether the executable is\r\nbeing run as root or not. If so, the persistence mechanism is now written to /Library/LaunchDaemons instead of\r\nthe user’s Library LaunchAgents folder.\r\nhttps://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\r\nPage 3 of 9\n\nIn either case, the program argument is the same, pointing to a custom subfolder in the Library folder called “User\r\nPhotos” and an executable, mount_devfs , which is similarly a universal FAT binary containing Mach-Os written\r\nin C++.\r\nA further point not mentioned in the earlier research is that the Launch Agent or Launch Daemon is written using\r\nthe “Hidden” flag so that users won’t see it in the Finder by default.\r\nThird Stage Payload and Hard-coded Calling Card\r\nAccording to the earlier research, the malicious “mount_devfs” file provides the actors with backdoor capabilities,\r\nwhich include the ability to exfiltrate information as well as download files to the target machine.\r\nFor downloading, the actors make use of the same built-in dylib as we’ve seen used by Lazarus APT,\r\nlibcurl.4.dylib .\r\nhttps://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\r\nPage 4 of 9\n\nThe third stage payload has the ability to collect data regarding the device and its environment, including the\r\ncomputer host name.\r\nCuriously, the sample has two hardcoded strings that presumably are meant as a “calling card” or have some\r\ninternal meaning to the malware developers:\r\n\"JasyndurtheHandoftheKing\"\r\n\"CagliostrothePrecise\"\r\nhttps://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\r\nPage 5 of 9\n\nDetection and Mitigation\r\nAlthough these samples were unknown to static signature engines prior to the publication of this week’s research,\r\nthe malware was already detectable through behavioral means.\r\nThe first stage attempts to remove the quarantine bit on every file starting from both the User’s Home directory,\r\n~/ , and from / . This is incredibly “noisy” from a detection point of view, as no legitimate process is likely to\r\nhave such behavior.\r\nThe 2nd stage payload can trigger detections on MITRE TTPs T1150 and T1160 as it attempts to achieve\r\npersistence.\r\nhttps://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\r\nPage 6 of 9\n\nThe samples’ code signatures have now been revoked by Apple, although it is still possible to execute the malware\r\neither by removing the signature or re-signing it with a different developer ID or ad hoc signature.\r\nDefenders can hunt both for the Team Identifier used to sign the malware, “UD9UN593Z4”, and the bundle\r\nidentifier of the initial malicious application, “com.apple.files”. The persistence mechanism’s label\r\n“com.apple.marcoagent.voiceinstallerd” and executable path “[~]/Library/User Photos/mount_devfs” should also\r\nbe included in the IoCs for threat hunting.\r\nIn our tested sample, the malware C2 was a URL hosted at the domain mihannevis[.]com :\r\nhttp[:]//mihannevis.com/joes/NAZALgEyGj7b3jNYzbypYX8a/manifest[.]js\r\nhttps://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\r\nPage 7 of 9\n\nThe third stage payload is not well-known to static reputation engines as yet, so defenders should look to\r\nbehavioural indicators to ensure detection.\r\nConclusion\r\nWhile much macOS malware is often very simply or inexpertly written, the actors behind this multi-stage\r\nbackdoor trojan have both deployed some novel tricks and improved upon techniques seen in commodity malware\r\nsuch as Shlayer and adware like bundlore. This indicates that they have both the skills and the resources to imitate\r\nand innovate in order to achieve their objectives.\r\nIndicators of Compromise\r\nSHA1\r\nc2e0b35fd4f24e9e98319e10c6f2f803b01ec3f1   – Application Bundle Zip\r\nhttps://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\r\nPage 8 of 9\n\n9f84502cb44b82415bcf2b2564963613bdce1917  – Stage 2 Mach-O\r\n4f6d34cf187c10d72fb3a2cd29af7e3cb25bc3aa  – Stage 3 Mach-O\r\nSHA256\r\ncfa3d506361920f9e1db9d8324dfbb3a9c79723e702d70c3dc8f51825c171420 – Application Bundle Zip\r\n05e5ba08be06f2d0e2da294de4c559ca33c4c28534919e5f2f6fc51aed4956e3 – Stage 2 Mach-O\r\nfd7e51e3f3240b550f0405a67e98a97d86747a8a07218e8150d2c2946141f737 – Stage 3 Mach-O\r\nFilePaths\r\n[~]/Library/User Photos/mount_devfs\r\n/Library/LaunchDaemons/com.apple.marcoagent.voiceinstallerd.plist\r\n~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist\r\nC2 Servers\r\nmihannevis[.]com\r\nmykessef[.]com\r\nidtpl[.]org\r\nCode Signature\r\nIdentifier=com.apple.files\r\nFormat=app bundle with generic\r\nCodeDirectory v=20200 size=159 flags=0x0(none) hashes=1+3 location=embedded\r\nHash type=sha1 size=20\r\nCandidateCDHash sha1=3c6c754b58f4450505494f1b68104d0154d19296\r\nCandidateCDHashFull sha1=3c6c754b58f4450505494f1b68104d0154d19296\r\nHash choices=sha1\r\nCMSDigest=eee562155af89168a52d306f11facca999d84505df789a1d8124d8446c726bc5\r\nCMSDigestType=2\r\nCDHash=3c6c754b58f4450505494f1b68104d0154d19296\r\nSignature size=8576\r\nAuthority=(unavailable)\r\nInfo.plist=not bound\r\nTeamIdentifier=UD9UN593Z4\r\nSealed Resources version=2 rules=12 files=2\r\nhost =\u003e identifier \"com.apple.bash\" and anchor apple\r\ndesignated =\u003e anchor apple generic and identifier \"com.apple.files\" and (certificate leaf[field.1.2.8\r\nMITRE ATT\u0026CK TTPs\r\nProcess achieved persistency through launchd job.  T1150\r\nProcess dropped a hidden suspicious plist to achieve persistency. T1160\r\nSource: https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\r\nhttps://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/" ], "report_names": [ "apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3f86085e-95c5-4007-8bd7-86ad330ce4eb", "created_at": "2022-10-25T16:07:24.457008Z", "updated_at": "2026-04-10T02:00:04.998531Z", "deleted_at": null, "main_name": "Bismuth", "aliases": [ "Canvas Cyclone" ], "source_name": "ETDA:Bismuth", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434759, "ts_updated_at": 1775792181, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f23ee1269cb8c01631ac7b978beac8aff6d5bff7.pdf", "text": "https://archive.orkl.eu/f23ee1269cb8c01631ac7b978beac8aff6d5bff7.txt", "img": "https://archive.orkl.eu/f23ee1269cb8c01631ac7b978beac8aff6d5bff7.jpg" } }