Connect with us

Hi, what are you looking for?


Malware & Threats

North Korean Hackers Target Mac Users With New ‘RustBucket’ Malware

North Korea-linked hacking group BlueNoroff/Lazarus was seen using the RustBucket macOS malware in recent attacks.

North Korea-linked BlueNoroff hackers have been observed using a new macOS malware family in recent attacks, cybersecurity firm Jamf reveals.

Dubbed RustBucket and able to fetch additional payloads from its command-and-control (C&C) server, the malware has been attributed to the advanced persistent threat (APT) actor BlueNoroff, which is believed to be a subgroup of the infamous Lazarus hacking group.

As part of the observed attacks, BlueNoroff used stage-one malware contained within the unsigned application ‘Internal PDF’ and designed to fetch and execute the stage-two payload on the system.

According to Jamf’s security researchers, the Internal PDF Viewer application does not appear to be executed unless the user manually overrides Gatekeeper, which suggests that the attackers rely on social engineering to trick victims into initializing the infection chain.

The second-stage payload is a signed application which masquerades as a legitimate Apple bundle identifier. It also displays a decoy PDF to the victim – containing information taken from the website of a legitimate venture capital firm.

The malware begins communication with the C&C server to fetch the stage-three payload, which is a signed trojan written in the Rust language that can run on both ARM and x86 architectures.

The malware can gather system information, including a list of running processes, current time, and whether it is running in a virtual machine, and allows the attacker to perform various actions on the infected machines, Jamf says.

Advertisement. Scroll to continue reading.

Based on the domain used by the stage-one dropper, the use of fake domains impersonating venture capital firms and social engineering schemes similar to a previous BlueNoroff-linked campaign, Jamf believes that the North Korean hackers are behind the RustBucket macOS malware.

“The malware used here shows that as macOS grows in market share, attackers realize that a number of victims will be immune if their tooling is not updated to include the Apple ecosystem. Lazarus group, which has strong ties to BlueNoroff, has a long history of attacking macOS and it’s likely we’ll see more APT groups start doing the same,” Jamf concludes.

Related: North Korea’s Lazarus Targets Energy Firms With Three RATs

Related: North Korea Lazarus Hackers Blamed for $100 Million Horizon Bridge Heist

Related: North Korea APT Lazarus Targeting Chemical Sector

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...