North Korean-linked hackers were caught experimenting with new macOS malware | CyberScoop<\/title> <meta name=\"description\" content=\"Researchers can\u2019t tell if the malware was used in a campaign, or North Korean operatives were caught before they could deploy it in the wild.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/north-korea-macos-malware-flutter-jamf\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"North Korean-linked hackers were caught experimenting with new macOS malware\"> <meta property=\"og:description\" content=\"Researchers can\u2019t tell if the malware was used in a campaign, or North Korean operatives were caught before they could deploy it in the wild.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/north-korea-macos-malware-flutter-jamf\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-11-12T13:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2024-11-08T23:11:17+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1279\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1731346196g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1730999764g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1729103471g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82537\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82537\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-macos-malware-flutter-jamf%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-macos-malware-flutter-jamf%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82537 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/north-korea-macos-malware-flutter-jamf\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.36032388664\">\n<div class=\"single-article__header-content\" readability=\"34.400468384075\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> Researchers can\u2019t tell if the malware was used in a campaign, or North Korean operatives were caught before they could deploy it in the wild. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82537\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-2.jpg?resize=1024,682 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-2.jpg?resize=1536,1023 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> N. Korean hacker silhouette with North Korean Flag. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"30.117302052786\"><body readability=\"61.23634377276\"><\/p>\n<p>Hackers associated with North Korea were discovered embedding malware inside macOS applications built with an open-source software development kit, according to researchers at Jamf, a company that makes software geared toward mobile device management. <\/p>\n<p>The <a href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2024\/11\/FINAL-Jamf-macOS-Flutter-DPRK-Research.pdf\">research, released Tuesday,<\/a> details malware discovered in November by researchers on VirusTotal, a popular online file analysis tool. While the code was malicious, the online scanning platform gave the samples a clean bill of health. Jamf found three versions of the malware; two used the programming languages Golang and Python. The third was built using Flutter, which heavily obfuscates the code by default.<\/p>\n<p>Researchers said the techniques and domains associated with the malware \u201calign closely\u201d with North Korean techniques. North Korea typically has financial motivations in mind for cyber operations. Both campaigns were aimed at cryptocurrency-related intrusions and contained similar infrastructure used by North Korea\u2019s Lazarus Group.<\/p>\n<p>Flutter is an open-source programming framework developed by Google for developers to build, design, and maintain applications across iOS, Android, Linux, macOS, Windows, and the web. The development kit is also great at obfuscating malicious code, which makes it harder to reverse engineer.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThere is nothing inherently malicious about this app architecture, it just so happens to provide a good avenue of obfuscation by design,\u201d the report notes.<\/p>\n<p>Jamf researchers say it\u2019s still an open question as to whether the malware was actively used in a campaign or simply to test a new method of attack. The malware was sophisticated enough to bypass Apple\u2019s notarization process, a security mechanism that ensures macOS applications are free from known malware and harmful code. <\/p>\n<p>Yet there was no explicit indication that the malware, which was embedded in a clone of the popular video game <a href=\"https:\/\/github.com\/recepsenoglu\/minesweeper\">Minesweeper that was lifted straight from a Github repository<\/a>, was used in an attack campaign. Additionally, the malware samples changed a URL request to a malicious domain, which theoretically would have started the next stage of the campaign. However, the report notes that the domain gave a 404 response by the time researchers found the malware.<\/p>\n<p>The domain the malware pointed to was previously used in a campaign discovered by the cybersecurity firm Elastic, aimed at <a href=\"https:\/\/www.elastic.co\/security-labs\/elastic-catches-dprk-passing-out-kandykorn\">infecting blockchain engineers<\/a> using macOS-specific malware. To give further credence to the North Korea link, the Go variant of the macOS malware contained the same file name of another \u201cinfection vector\u201d that was linked to a different operation, <a href=\"https:\/\/www.sentinelone.com\/labs\/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence\/\">discovered by SentinelOne researchers<\/a>, targeting macOS devices. <\/p>\n<p>You can read the full research <a href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2024\/11\/FINAL-Jamf-macOS-Flutter-DPRK-Research.pdf\">here<\/a>.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.5900621118012\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/north-korea-macos-malware-flutter-jamf\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korean-linked hackers were caught experimenting with new macOS malware<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[303,282,78,281,3071,1010,3072,647,1073,256,288],"tags":[307,286,86,285,3073,242,3074,240,1076,262,294],"class_list":["post-6185","post","type-post","status-publish","format-standard","hentry","category-apple","category-cybercrime","category-cybersecurity","category-hacking","category-jamf","category-lazarus-group","category-macos","category-north-korea","category-open-source","category-research","category-threats","tag-apple","tag-cybercrime","tag-cybersecurity","tag-hacking","tag-jamf","tag-lazarus-group","tag-macos","tag-north-korea","tag-open-source","tag-research","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/apple\/\" rel=\"category tag\">Apple<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/jamf\/\" rel=\"category tag\">Jamf<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/lazarus-group\/\" rel=\"category tag\">Lazarus Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/macos\/\" rel=\"category tag\">MacOS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korea\/\" rel=\"category tag\">North Korea<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6185"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6185\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6185,"date":"2024-11-12T07:00:00","date_gmt":"2024-11-12T13:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82537"},"modified":"2024-11-12T07:00:00","modified_gmt":"2024-11-12T13:00:00","slug":"north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/11\/12\/north-korean-linked-hackers-were-caught-experimenting-with-new-macos-malware\/","title":{"rendered":"North Korean-linked hackers were caught experimenting with new macOS malware"},"content":{"rendered":"