Researchers with cybersecurity company ESET have observed a new macOS malware sample developed by the infamous North Korean advanced persistent threat (APT) actor Lazarus.
Believed to be backed by the North Korean government, Lazarus has been active since at least 2009, orchestrating various high-profile attacks, including numerous assaults on cryptocurrency entities.
Also referred to as Hidden Cobra, Lazarus is believed to comprise multiple subgroups, the activities of which often overlap, the same as their tools.
Over the past couple of years, Lazarus has been targeting various entities – including defense and governmental organizations and companies in the chemical sector – with fake job offers and sophisticated social engineering.
ESET now warns that Lazarus is once again relying on fake job offerings for the distribution of malware, as a continuation of an attack detailed in May, which relied on similar decoy documents for the distribution of Windows and macOS malware.
“A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil. This is an instance of Operation In(ter)ception by #Lazarus for Mac,” ESET said on Twitter.
Targeting both Intel and Apple chips, the malware was designed to drop three files on the victim’s machine, including a decoy PDF document, a bundle package, and a downloader named ‘safarifontagent’.
The bundle has a signing timestamp of July 21, which suggests that it was built to be part of a new instance of the campaign. The certificate used to sign it, however, was issued in February 2022 to developer ‘Shankey Nohria’.
“The application is not notarized and Apple has revoked the certificate on August 12,” ESET notes.
According to the security firm, the downloader was designed to reach out to a remote command-and-control (C&C) server, but the researchers could not retrieve a payload from it.
Earlier this month, security researchers observed a Windows counterpart of the malware, which would drop the exact same decoy document.
Related: US Offers $10 Million for Information on North Korean Hackers
Related: U.S. Details North Korean Malware Used in Attacks on Defense Organizations
Related: North Korea Lazarus Hackers Blamed for $100 Million Horizon Bridge Heist
More from Ionut Arghire
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
- European Cybersecurity Firm Sekoia.io Raises $37.5 Million
- GitLab Security Update Patches Critical Vulnerability
- Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update
Latest News
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Security Pros: Before You Do Anything, Understand Your Threat Landscape

