TodoSwift Disguises Malware Download Behind Bitcoin PDF
2024-08-16 • Kandji •
https://www.kandji.io/blog/todoswift-disguises-malware-download-behind-bitcoin-pdf
Kandji analyzed TodoSwift, a signed macOS Swift/SwiftUI dropper uploaded to VirusTotal on 2024-07-24 and assessed as likely related to DPRK-linked BlueNoroff activity because of overlap with KandyKorn and RustBucket tradecraft. The TodoTasks application presents a PDF lure to the user while its document window-controller path prepares two embedded URLs. One URL points to a Google Drive download, a technique previously observed in DPRK malware, and the other points to buy2x.com for a second-stage payload path. The report focuses on the dropper logic that hides malware execution behind a Bitcoin-themed PDF workflow rather than on a full intrusion chain.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | buy2x.com | 2024-08-16 | 2025-01-20 |
| HASH | 9b839e9169babff1d14468d9f8497c1… | 2024-08-16 | 2024-08-16 |
| HASH | f1b3ce96462027644f9caa314d3da74… | 2024-08-16 | 2024-08-16 |
| HASH | a55029c963ff454e42483b9b6f0293d… | 2024-08-16 | 2024-08-16 |
| HASH | 9623c98f7338d56b07b35cd379e31e6… | 2024-08-16 | 2024-08-16 |
| HASH | e09d2277a19dddd751edb164bde0646… | 2024-08-16 | 2024-08-16 |
| HASH | c52e3e73d7870bf8edc1b9ae52b26c0… | 2024-08-16 | 2024-08-16 |
| HASH | a55029c963ff454e42483b9b6f0293d… | 2024-08-16 | 2024-08-16 |
| URL | http://buy2x.com/OcMySY5QNkY/AB… | 2024-08-16 | 2024-08-16 |