Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform
2020-07-27 • Sentinel One •
SentinelOne describes four macOS malware families likely tied to the same North Korean-backed Lazarus operators behind AppleJeus activity. The excerpt highlights DaclsRAT in a trojanized TinkaOTP one-time-password app, which used LaunchAgents or LaunchDaemons for persistence and either bundled or downloaded a disguised Mach-O payload. It also documents newer trojanized cryptocurrency-trading applications such as CoinGoTrade and Cryptoistic, continuing the AppleJeus pattern of luring cryptocurrency users with fake apps and C2-backed loaders. The report is useful for tracking Lazarus tradecraft on macOS, including Swift and Objective-C implants, fake finance/crypto brands, embedded C2 URLs, and rapid iteration across variants.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | a61ecbe8a5372c85dcf5d077487f09d… | 2020-07-27 | 2026-04-03 |
| IPv4 | 67.43.239.146 | 2020-05-05 | 2023-01-18 |
| IPv4 | 185.62.58.207 | 2020-05-05 | 2023-01-18 |
| HASH | 326d7836d580c08cf4b5e587434f6e5… | 2020-07-27 | 2021-02-18 |
| DOMAIN | coingotrade.com | 2020-07-27 | 2021-02-18 |
| YARA | XProtect_MACOS_b17a97e | 2020-07-27 | 2020-07-27 |
| HASH | e63640c53204a59ba59f2c310964149… | 2020-07-27 | 2020-07-27 |
| HASH | 3c2f7b8a167433c95aa919da9216f06… | 2020-07-27 | 2020-07-27 |
| HASH | 36683ce8ec4ab6c07330930b523ee0d… | 2020-07-27 | 2020-07-27 |
| HASH | 90ea1c7806e2d638f4a942b36a533a1… | 2020-07-27 | 2020-07-27 |
| HASH | 4f9d2087fadbf7a321a4fbd8d6770a7… | 2020-07-27 | 2020-07-27 |
| HASH | 85d7379b7b82d6b7868f64203a444a5… | 2020-07-27 | 2020-07-27 |
| HASH | 035089b4ef4a981f43455ebee7963af… | 2020-07-27 | 2020-07-27 |
| HASH | 2dd57d67e486d6855df8235c15c9657… | 2020-07-27 | 2020-07-27 |
| HASH | 3bb96bfaf492782b38985f4bd6b7e7f… | 2020-07-27 | 2020-07-27 |
| HASH | 8783f6755fd3d478fc58040da03d056… | 2020-07-27 | 2020-07-27 |
| HASH | 65cc7663fa5c5665ad5d9c6bec2b625… | 2020-07-27 | 2020-07-27 |
| URL | https://audiopodcasts.co/verify… | 2020-07-27 | 2020-07-27 |
| URL | https://audiopodcasts.co | 2020-07-27 | 2020-07-27 |
| URL | https://fudcitydelivers.com/net… | 2020-07-27 | 2020-07-27 |
| URL | https://lastedforcast.com/list.… | 2020-07-27 | 2020-07-27 |
| URL | https://sctemarkets.com | 2020-07-27 | 2020-07-27 |
| URL | https://coingotrade.com/update_… | 2020-07-27 | 2020-07-27 |
| URL | https://lastedforcast.com | 2020-07-27 | 2020-07-27 |
| URL | http://applepkg.com/product/new… | 2020-07-27 | 2020-07-27 |
| URL | https://sctemarkets.com/net.php | 2020-07-27 | 2020-07-27 |
| URL | https://fudcitydelivers.com | 2020-07-27 | 2020-07-27 |
| DOMAIN | sctemarkets.com | 2020-07-27 | 2020-07-27 |
| DOMAIN | applepkg.com | 2020-07-27 | 2020-07-27 |
| DOMAIN | audiopodcasts.co | 2020-07-27 | 2020-07-27 |
| DOMAIN | fudcitydelivers.com | 2020-07-27 | 2020-07-27 |
| DOMAIN | lastedforcast.com | 2020-07-27 | 2020-07-27 |
| IPv4 | 160.20.147.253 | 2020-07-27 | 2020-07-27 |
| HASH | 899e66ede95686a06394f707dd09b7c… | 2020-05-06 | 2020-07-27 |
| URL | https://loneeaglerecords.com/wp… | 2020-05-06 | 2020-07-27 |
| DOMAIN | loneeaglerecords.com | 2020-05-06 | 2020-07-27 |
| HASH | d91c233b2f1177357387c29d92bd3f2… | 2019-11-20 | 2020-07-27 |
| HASH | 735365ef9aa6cca946cfef9a4b85f68… | 2019-11-12 | 2020-07-27 |