Jamf Threat Labs found macOS malware samples it assesses as tied to DPRK activity, including Go, Py2App Python and Flutter variants that initially appeared clean on VirusTotal. The Flutter sample was a signed minesweeper style app, "New Updates in Crypto Exchange (2024-08-28).app", that contacted mbupdate[.]linkpc[.]net, a domain Jamf says has appeared in DPRK malware, to retrieve a second stage. Reversing showed Dart code embedded in the Flutter App dylib and strings indicating osascript support; in testing, the app executed reversed AppleScript returned by the server. Jamf also noted similar Golang and Python variants, temporary Apple notarization for some samples, and infrastructure and techniques overlapping prior DPRK macOS malware, while saying it was unclear whether the samples had been used against victims.