New Mac malware identified that evades detection through fake PDF conversion tool

Sept. 1, 2025, 8:59 a.m.

Description

Mosyle has discovered a new Mac malware strain called 'JSCoreRunner' that evades detection by masquerading as a PDF conversion tool. The malware spreads through a malicious website, fileripple.com, and operates in two stages. The first stage, FileRipple.pkg, appears as a legitimate PDF tool while running malicious code in the background. The second stage, Safari14.1.2MojaveAuto.pkg, bypasses Gatekeeper's protections. Once installed, JSCoreRunner targets Chrome browsers, altering search engine settings to redirect users to fraudulent providers. This exposes users to keylogging, phishing, and potential data theft. The malware's sophisticated approach highlights the need for vigilance and proactive security measures for Mac administrators.

External References

https://9to5mac.com/2025/08/27/mosyle-identifies-new-mac-malware-that-evades-detection-through-fake-pdf-conversion-tool
https://otx.alienvault.com/pulse/68b20b6fce80c3addd5e54a3
Tags
2025-08-29
mac
chrome hijacking
apple security
jscorerunner
mosyle
zero-day threat
two-stage infection
fileripple.com
pdf conversion
browser redirection

Date

  • Created: Aug. 29, 2025, 8:19 p.m.
  • Published: Aug. 29, 2025, 8:19 p.m.
  • Modified: Sept. 1, 2025, 8:59 a.m.

Attack Patterns

  • JSCoreRunner