Connect with us

Hi, what are you looking for?



Several New Mac Malware Families Attributed to North Korean Hackers

North Korean-linked threat actor Lazarus has been employing at least four new Mac-targeting malware families in recent attacks, SentinelOne security researchers reveal.

North Korean-linked threat actor Lazarus has been employing at least four new Mac-targeting malware families in recent attacks, SentinelOne security researchers reveal.

Active for over a decade and also referred to as Hidden Cobra, Lazarus has started targeting Macs rather recently, mainly in financially motivated cyberattacks, some targeting cryptocurrency exchanges, such as the AppleJeus campaign.

Some of the most recent malware families that Lazarus has been leveraging in attacks include the macOS version of the DaclsRAT, and the cross-platform MATA framework, which also targets Windows and Linux systems.

In a July 27 report, SentinelOne revealed that a newer version of DaclsRAT was deployed on April 1, on a more recent macOS platform release, “indicating if nothing else that the malware authors were vigilant at keeping up with macOS updates on their own machines, whether virtual or metal-based.”

The malware is distributed as a trojanized one-time-password (OTP) application named TinkaOTP, with two variants observed. One of them carries the payload in the resources folder, while the other downloads it from the command and control (C&C) server.

In addition to the DaclsRAT malware, which appears related to the MATA framework, Lazarus has used in recent months trojanized cryptocurrency-related software, such as CoinGoTrade and Cryptoistic, which are written in Objective-C and Swift, respectively.

Simultaneously with all three new malware variants, Lazarus has started using a lightweight backdoor written primarily in Objective-C and C and referred to as OSX.Casso, which also has a Windows counterpart. The backdoor, SentinelOne says, represents an evolution of the Lazarus-related executable ‘Flash Player’.

More recently, Lazarus appears to have been working with two additional malware families, referred to as WatchCat and MediaRemote, based on observed strings for “” and “,” with detections increasing rapidly over the past 14 days.

Advertisement. Scroll to continue reading.

The samples show code overlaps with previous backdoors and trojanized OTP apps, but “there is also much more to this malware that has not been seen in the other samples, including use of a WebShell and an onboard crc32 table for decrypting a config file,” SentinelOne says. WatchCat, however, has yet to be observed in the wild.

“All of the samples reviewed above have appeared in the last eight to ten weeks and are evidence that threat actors behind the Lazarus group are pursuing several distinct campaigns, using a variety of technologies, and are themselves keeping up-to-date with the Apple platform. These are not actors merely porting Windows malware to macOS, but rather Mac-specific developers deeply invested in writing custom malware for Apple’s platform,” SentinelOne concludes.

Related: Multi-Platform Malware Framework Linked to North Korean Hackers

Related: North Korean Hackers Release Mac Variant of Dacls RAT

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.