Security Experts:

Connect with us

Hi, what are you looking for?



Russian Cyberspies Use New Mac Malware to Steal Data

Researchers have discovered a new piece of malware used by the Russia-linked threat group known as APT28 to steal sensitive data from Mac devices, including backups and passwords.

Researchers have discovered a new piece of malware used by the Russia-linked threat group known as APT28 to steal sensitive data from Mac devices, including backups and passwords.

APT28 is also tracked as Fancy Bear, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit. The threat actor has been linked to several high-profile attacks aimed at government and other types of organizations around the world, including the recent election-related hacker attacks in the United States.

APT28 has been known for using an OS X downloader named Komplex, and researchers from Bitdefender and Palo Alto Networks have now come across another Mac malware believed to be part of the group’s arsenal.

XAgent, or X-Agent, is a Trojan used by APT28 in attacks targeting Windows systems. A recently analyzed campaign aimed at Ukraine indicates that the group may have also developed an Android version of XAgent.

Bitdefender and Palo Alto Networks have also identified a macOS version of XAgent, which they believe is downloaded to targeted systems by the Komplex downloader. Both security firms determined, based on binary strings, that Komplex and XAgent were likely created by the same developer.

Once it infects a Mac computer, the malware, which its authors call XAgentOSX, contacts a command and control (C&C) server and waits for instructions. C&C communications are similar to the ones used by the Windows version of XAgent.

XAgentOSX can collect information about the system, running processes and installed applications, it can download and upload files, execute commands and files, and take screenshots.

The malware also looks for backup files from an iPhone or iPad, which it can exfiltrate using one of the available commands. XAgentOSX can also log keystrokes, allowing the attackers to obtain the victim’s credentials.

Bitdefender told SecurityWeek that it does not have any information on XAgentOSX infections and targets, but the company believes the victims are hand-picked in an effort to prevent the exposure of malware samples.

“Most likely, this sample is directed at the same audience that makes the focus of the APT28 group (government, airspace, telecom and, e-crime services). It most likely covers the instances in which targets in the respective groups use Macs as work or personal computers,” said Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender.

APT28 is a sophisticated threat group whose arsenal includes a wide range of tools, including Linux malware. One of the actor’s favorite Linux tools is Fysbis, an unsophisticated yet efficient backdoor.

Related: Experts Doubt Russia Used Malware to Track Ukrainian Troops

Related: Microsoft Patches Windows Zero-Day Exploited by Russian Hackers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.