The Lazarus Group Turns its Attention to Apple Users With a New MacOS Trojan

  • A new two-stage malware from the Lazarus group is going after crypto-coin exchanges.
  • The malicious software was developed to trick macOS users, and it can currently bypass detection on most AV tools.
  • The C&C is currently online, but for now, it is not delivering the second and main payload.

Researcher and threat analyst Dinesh_Devadoss has discovered a new piece of Lazarus malware that was created to target macOS systems. The reason why this new Trojan is connected with the Lazarus group is that it tries to trick the user into believing that it’s a legitimate cryptocurrency app (UnionCryptoTrader.dmg), and we’ve seen this tactic from the North Koreans before. The victim is installing and running the malicious software, which then downloads a secondary payload which is a spying and data exfiltration tool. Nothing is installed on the hard drive, so the whole action is running within your computer’s memory.

Going a bit deeper into the technicalities, the malware downloads the second payload onto the victim’s machine and decrypts it. Then, through the use of certain macOS API calls, an object file image is created. This helps in laying the ground for the file to run in the memory, simulating an actual installation on the hard drive. At this time, the malware is detected only by a handful of engines, with the majority failing to flag the Trojan. The payload binary is unsigned though, so macOS will serve a warning to the user when trying to run the package.


The malicious file theming indicates that the Lazarus group is going after crypto-currency exchanges this time. The name “Union Crypto Trader” and the website that has been set up for the purpose of the distribution is in alignment with this assumption. According to Patrick Wardle’s in-depth analysis, the website is still online and querying the IP address ( is indicating that the Trojan has already been downloaded at least once.


To establish persistence, the malware plants the “vip.unioncrypto.plist” in the launch daemon, so the binary is launched upon every system boot. The file and the newly created directory is set to be owned by root. The first payload is the “identifier” which can send basic system information back to the actor and retrieve new payload samples from the C2. The stage-2 implant is the main data exfiltrator and the fully-fledged malware of the operation. Unfortunately, the analyst couldn’t get a sample from the C&C, as the server is currently answering back with a zero string. That said, the purposes of Lazarus are unclear right now, but the development of this tool gives us an indication of the focus of the hacking group.

Would you trust any cryptocurrency exchange tool you will find online, or do you prefer something specific? Let us know where you stand in the comments down below, or join the discussion on our socials, on Facebook and Twitter.


Recent Articles

The U.S. Copyright Office Says Pirates Shouldn’t Lose Their Internet Connection

Breaking the law is condemnable, but barring someone out of the internet world is unconstitutional. The U.S. Copyright Office is calling the...

Russian Group Called “Cosmic Lynx” Exposed for Massive BEC Operation

The “Cosmic Lynx” actor has launched over 200 BEC campaigns during the past 12 months. The Russian group of hackers was making...

Amazon Prime Video Finally Gets Support for Multiple Profiles – Already Rolling Out in the USA & Around the World!

Prime Video now supports up to six individual profiles, all of which must be linked to one primary Amazon account. You’re free to...

“BlueLeaks” Portal Took Down and Server Seized by the German Police

“BlueLeaks” server located in Germany and seized by the authorities, so the portal is now down. The massive collection of US police...

Additional Evidence Points to the iPhone 12 Coming Without a Power Adapter & EarPods

A 3D concept rendering has surfaced online, showing the insert that will go into this year’s iPhone’s retail box. Once again, we see...