Stealthy New macOS Backdoor Hides on Chinese Websites

Modified malware from the Khepri open source project that shares similarities with the ZuRu data stealer harvests data and drops additional payloads.

A sneaky
macOS backdoor
that allows attackers to remotely control infected machines has been hiding in trojanized applications for the platform that are hosted on Chinese websites. The .fseventsd binary bears some resemblance to known malware baddies, but adds a new layer of stealth that sets it apart.
Researchers from Jamf Threat Labs discovered
the series of poisoned apps being hosted on the Chinese site macyy[.]cn; they have been modified to communicate to attacker infrastructure, though its highly likely theyre being hosted on other application-pirating websites as well, Jaron Bradley, director at Jamf Threat, tells Dark Reading.
These applications are being hosted on Chinese pirating websites in order to gain victims, he wrote in a blog post about the research published Jan. 18. Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victims machine.
Jamf Threat Labs has established that the malware behaves like malicious code from the
Khepri opensource project
, though it appears to be modified to try and make the malware blend in with other processes on the operating system, Bradley says. It does this by renaming itself in case anyone encounters the malware while trying to investigate system processes.
Otherwise the functionality acts like the Khepri backdoor, allowing the attacker to collect information about the system, download and upload files if the user has granted the permissions, and open a remote shell on the computer, he says.
The researchers initially discovered the malware in the form of an executable named .fseventsd that they noticed while triaging various threat alerts. The executable was notable for being hidden — evidenced by its name starting with a period — and also for using the name of a process built into the OS. It also was not blocked by Apple nor at the time was it flagged as malicious on VirusTotal.
Using VirusTotal, the researchers determined that the .fseventsd binary was originally uploaded as part of a greater DMG file that also was backdoored on three other pirated apps.
An Internet search traced the apps to the Chinese website, which also provides links to many other pirated applications. We also discovered two additional DMGs trojanized in the same manner that had not yet made their way to VirusTotal, Bradley added.
A deeper analysis of the file found that the malware hidden inside the apps executes three malicious activities. The first is a malicious dylib, a library loaded by the application that acts as a dropper executing each time the application is opened. That library subsequently downloads the following two malicious processes: a backdoor binary downloaded that uses the Khepri open source command-and-control (C2) and post-exploitation tool, and a downloader that sets up persistence and downloads additional payloads.
The researchers found that the malware shares a few similarities with the ZuRu malware, a
previously identified data-stealing malware
for macOS that spreads via sponsored search results on Baidu and installs the Cobalt Strike agent on compromised systems.
While the final payloads are different, the two malwares share similarities in the applications that they compromise, the dylib techniques that both use, and the domains that they use for infrastructure, Bradley says.
However, the final malware that is being dropped is very different from the original ZuRu so its hard to tell if its directly related, he says.
Overall, the campaign demonstrates once again the existing risk for the macOS platform from pirated applications, but more importantly outlines the increased frequency of attackers using a malicious library placed within a modified application to compromise users.
This is a technique that often makes detection and analysis a little more difficult, Bradley tells Dark Reading. This shows that malware authors are getting more familiar with the macOS operating system and are taking the time to get more stealthy.
To protect the platform, one key mistake macOS enterprises and users should avoid making is the assumption that all Macs are inherently safe, Bradley says. Indeed, there has been a notable and increased targeting of the platform by attackers in the last few years, who are now even creating
custom macOS malware

including infostealers
that
can crack
Apples built-in software protections.
Bradley advised that enterprises use software that both detects and blocks threats on macOS as well as prevents users from visiting websites that are known to be used for hosting pirated software. Further, all macOS users are strongly discouraged from downloading pirated apps, whether at home, while using a corporate VPN, or in the office.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Stealthy New macOS Backdoor Hides on Chinese Websites