Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants

March 26, 2025, 5:21 p.m.

Description

ReaderUpdate, a macOS malware loader platform active since 2020, has evolved to include variants written in Crystal, Nim, Rust, and now Go programming languages. Originally a compiled Python binary, the malware has been largely dormant until late 2024. The loader is capable of executing remote commands, potentially offering Pay-Per-Install or Malware-as-a-Service. It collects system information, creates persistence mechanisms, and communicates with command and control servers. The Go variant, less common than others, uses string obfuscation techniques to hinder analysis. While currently associated with adware delivery, the loader's capabilities pose a potential threat for more malicious payloads in the future.

External References

https://www.sentinelone.com/blog/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/
https://otx.alienvault.com/pulse/67e41bedc264bcc69a9b8e20
Tags
malware
loader
persistence
macos
adware
rust
go
2025-03-26
nim
genieo
crystal
silver toucan
dolittle
wizardupdate
updateagent
readerupdate

Date

  • Created: March 26, 2025, 3:23 p.m.
  • Published: March 26, 2025, 3:23 p.m.
  • Modified: March 26, 2025, 5:21 p.m.

Indicators

  • 9f2fb463fa521e401118d033459034a0353f510f250095e9ee18ed5c38738825
  • www.entryway.world
  • streamingleaksnow.com
  • slothingpressing.com
  • strawberriesandmangos.com
  • small-inches.com
  • simulators-and-cars.com
  • motorcyclesincyprus.com
  • livingscontinuations.com
  • limitedavailability-show.com
  • lakesandinnovations.com
  • airconditionersontop.com
Download all indicators here!

Attack Patterns

  • Silver Toucan
  • UpdateAgent
  • WizardUpdate
  • DOLITTLE
  • Genieo
  • ReaderUpdate
  • T1546.004
  • T1053.004
  • T1027.001
  • T1074.001
  • T1547.001
  • T1095
  • T1105
  • T1036
  • T1140
  • T1027
  • T1059