Increasing Threats to macOS Users from Pirated Software and Malware

Recent investigations by cybersecurity experts have uncovered a worrying trend targeting Apple macOS users. Pirated applications, primarily hosted on Chinese websites, have been found to contain sophisticated backdoors enabling attackers to gain remote control of infected machines. This malicious software, disguised within popular applications like Navicat Premium, UltraEdit, and Microsoft Remote Desktop, poses a significant threat to unsuspecting users.

Modus Operandi of the Attackers

  • Pirated Application Distribution: The malicious applications are distributed via Chinese pirating websites. Once downloaded and opened, they trigger the malware.
  • Malware Components and Execution: The malware includes a dropper component, a backdoor, and a downloader. The dropper executes every time the pirated application is opened, fetching the backdoor and downloader from a remote server.
  • Persistence and Stealth: The backdoor and downloader are designed to establish persistence on the victim’s machine and operate stealthily. The backdoor, built on an open-source post-exploitation toolkit named Khepri, is located in a temporary directory, which means it’s deleted upon system shutdown but recreated upon re-opening the pirated application.
  • Targeted Applications and Similarities to Past Malware: The targeted applications and the methods used show similarities to the previously known ZuRu malware, suggesting a possible evolution of this threat.

Uncovered Malware Campaigns and Techniques

Cybersecurity firm Kaspersky Labs has discovered a new strain of malware that specifically targets macOS versions 13.6 and above. This malware infiltrates systems through pirated software, replacing legitimate Bitcoin and Exodus wallets with infected versions. It gains access to user credentials and private keys to crypto wallets, posing a significant financial threat.

  • Development and Preparation for New Campaigns: Hackers are currently refining this malware for an upcoming campaign.
  • Infiltration Techniques: The malware is transmitted through compromised apps downloaded from unauthorized sources. Users inadvertently assist in the malware installation by disabling security features to run the pirated software.
  • Avoiding the Unfolding Malware Campaign: Users can protect themselves by using trusted websites, keeping their systems updated, and employing robust security solutions.

Additional Hacker Tactics

  • Disguising Malware: Hackers have been known to disguise malware as legitimate wallets on online stores or create fake websites for this purpose.
  • Warnings from Authorities: The United States Federal Bureau of Investigation has issued warnings about such deceptive practices.
  • Notable Hacker Groups: Groups like the North Korean Lazarus Group have been implicated in similar malware campaigns targeting macOS users in the decentralized finance community.

Investigations and Findings by Security Researchers

Researchers from Jamf Threat Lab, led by Ferdous Saljooki and Jaron Bradley, have conducted extensive investigations into these cybersecurity threats. They discovered executable files posing as legitimate macOS processes, which are actually trojan-like malware hidden in pirated macOS applications.

  • Discovery of Modified Disk Images: The researchers found disk images containing altered codes of commonly pirated applications.
  • Malware Activities and Capabilities: The .fseventsd binary in these applications performs multiple malicious activities, including loading a malicious dylib, downloading a backdoor, and setting up persistence mechanisms. The Khepri backdoor allows attackers to collect information, manipulate files, and establish remote control.
  • Temporary Nature of the Malware: Despite its sophisticated operations, the malware’s temporary file nature means it’s deleted upon system reboot but reinitiates upon re-launch of the pirated application.

How to Protect Yourself

  • Awareness of Pirated Software Risks: Users should be aware of the inherent risks of downloading and using pirated software.
  • Ignoring Security Alerts: Those installing pirated apps often ignore security warnings, increasing their vulnerability.
  • Employing Antivirus and Anti-Malware Software: Installing reputable antivirus and anti-malware software adds an essential layer of defense, even though some malware might evade detection.


In conclusion, the rise in sophisticated malware targeting macOS users through pirated software highlights the need for heightened vigilance and robust cybersecurity practices. For more information and updates on these threats, click here.

Leave a Comment