Security Experts:

Connect with us

Hi, what are you looking for?



Iranian Hackers Use Mac Malware to Steal Data

Iranian cyber espionage

Iranian cyber espionage

A cyber espionage group linked to Iran has been using an unsophisticated piece of malware named MacDownloader to steal credentials and other data from Mac computers.

The malware was analyzed by Claudio Guarnieri and Collin Anderson, researchers specializing in Iranian surveillance and espionage campaigns targeting human rights, foreign policy and civil society entities.

MacDownloader, disguised by attackers as a Flash Player update and a Bitdefender adware removal tool, was created towards the end of 2016. Much of the code has been copied from other sources and experts believe this could be an amateur developer’s first attempt at creating a piece of malware.

When Guarnieri and Anderson conducted their analysis, the malware had not been known to any of the security products on VirusTotal. At the time of writing, nearly a dozen vendors have flagged the fake Flash Player and Bitdefender apps as malicious.

MacDownloader was first spotted on a fake website of aerospace firm United Technologies Corporation, which had previously delivered Windows malware. The same host had also been used to deploy the Browser Exploitation Framework (BeEF) on sites apparently belonging to the U.S. Air Force and a dental office.

While the attacks observed by Guarnieri and Anderson appear to be targeted at the defense industrial base sector, the experts are aware of reports that it has also been used against a human rights advocate.

Evidence suggests that the macOS malware is tied to Charming Kitten, aka Newscaster and NewsBeef, an Iranian threat actor known for creating fake personas on social networking websites in an effort to harvest information from targeted individuals in the US, Israel, the UK, Saudi Arabia and Iraq. Charming Kitten is also known for using BeEF.

Once it infects a device, the malware harvests information about the system, including processes and applications, and collects passwords stored in the Keychain. The Windows malware used by the group is similar, collecting saved credentials and browser history from Chrome and Firefox.

While its code shows that the developers of MacDownloader have attempted to implement remote update and persistence capabilities, these mechanisms don’t appear to be functional.

Researchers have found links between MacDownloader and other threat actors believed to be located in Iran, including the Iran Cyber Security Group, which specializes in defacing websites, and Flying Kitten (aka Rocket Kitten), which is known for targeting organizations in the Middle East and NATO countries.

Related: Iranian Telegram Accounts Compromised

Related: Iran-linked Hackers Used “Infy” Malware in Attacks Since 2007

Related: Iranian-Sponsored Hackers Hit Critical Infrastructure Companies

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...