MacOS Malware Campaign Showcases Novel Delivery Technique

Threat actor behind the Activator macOS backdoor is using pirated apps to distribute the malware in what could be a botnet-building operation.

Security researchers have sounded the alarm on a new cyberattack campaign using cracked copies of popular software products to distribute a backdoor to macOS users.
What makes the campaign different from numerous others that have employed a similar tactic — such as one reported just earlier this month
involving Chinese websites
— is its sheer scale and its novel, multistage payload delivery technique. Also noteworthy is the threat actors use of cracked macOS apps with titles that are of likely interest to business users, so organizations that dont restrict what users download can be at risk as well.
Kaspersky was the first to
discover and report
on the Activator macOS backdoor in January 2024. A subsequent analysis of the malicious activity by SentinelOne has showed the malware to be
running rife through torrents of macOS apps
, according to the security vendor.
Our data is based on the number and frequency of unique samples that have appeared across VirusTotal, says Phil Stokes, a threat researcher at SentinelOne. In January since this malware was first discovered, weve seen more unique samples of this than any other macOS malware that we [tracked] over the same period of time.
The number of samples of the Activator backdoor that SentinelOne has observed is more than even the volume of macOS adware and bundleware loaders (think Adload and Pirrit) that are supported by large affiliate networks, Stokes says. While we have no data to correlate that with infected devices, the rate of unique uploads to VT and the variety of different applications being used as lures suggests that in-the-wild infections will be significant.
One potential explanation for the scale of the activity is that the threat actor is attempting to assemble a macOS botnet, but that remains just a hypothesis for the moment, Stokes says.
The threat actor behind the Activator campaign is using as many as 70 unique cracked macOS applications — or free apps with copy protections removed — to distribute the malware. Many of the cracked apps have business-focused titles that could be of interest to individuals in workplace settings. A sampling: Snag It, Nisus Writer Express, and Rhino-8, a surface modeling tool for engineering, architecture, automotive design, and other use cases.
There are many tools useful for work purposes that are used as lures by macOS.Bkdr.Activator, Stokes says. Employers that do not restrict what software users can download could be at risk of compromise if a user downloads an app that is infected with the backdoor.
Threat actors seeking to distribute malware via cracked apps typically embed the malicious code and backdoors within the app itself. In the case of Activator, the attacker has employed a somewhat different strategy to deliver the backdoor.
Unlike many macOS malware threats, Activator doesnt actually infect the cracked software itself, Stokes says. Instead, users get an unusable version of the cracked app they want to download, and an Activator app containing two malicious executables. Users are instructed to copy both apps to the Applications folder, and run the Activator app.
The app then prompts the user for the admin password, which it then uses to disable macOS Gatekeeper settings so that applications from outside Apples official app store can now run on the device. The malware then initiates a series of malicious actions that ultimately turn off the systems notifications setting and install a Launch Agent on the device, among other things. The Activator backdoor itself is a first-stage installer and downloader for other malware.
The multistage delivery process provides the user with the cracked software, but backdoors the victim during the installation process, Stokes says. This means that even if the user later decided to remove the cracked software, it will not remove the infection.
Sergey Puzan, malware analyst at Kaspersky, points to another aspect of the Activator campaign that is noteworthy. This campaign uses a Python backdoor that doesnt appear on disk at all and is launched directly from the loader script, Puzan says. Using Python scripts without any compilers such as pyinstaller is a bit more tricky as it require attackers to carry a Python interpreter at some attack stage or ensure that the victim has a compatible Python version installed.
Puzan also believes that one potential goal of the threat actor behind this campaign is to build a macOS botnet. But since Kasperskys report on the Activator campaign, the company has not observed any additional activity, he adds.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
MacOS Malware Campaign Showcases Novel Delivery Technique