North Korean-Linked macOS Malware Targets Cryptocurrency Sector with RustDoor and Koi Stealer

Feb. 26, 2025, 4:46 p.m.

Description

A recent campaign attributed to North Korean threat actors has been identified, targeting macOS users in the cryptocurrency industry. The attackers employ sophisticated social engineering techniques, posing as recruiters to lure job-seeking software developers into downloading malicious software. The malware suite includes "RustDoor," a Rust-based backdoor masquerading as legitimate software updates, and a previously undocumented macOS variant of "Koi Stealer," designed to exfiltrate sensitive information

External References

https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/
https://otx.alienvault.com/pulse/67bf4431daee3fb074cce3dd
Tags
apt
macos
rust
2025-02-26
cryptocurrencies
koi stealer
studio helper
rustdoor c2

Date

  • Created: Feb. 26, 2025, 4:41 p.m.
  • Published: Feb. 26, 2025, 4:41 p.m.
  • Modified: Feb. 26, 2025, 4:46 p.m.

Indicators

  • c42b103b42d7e9817f93cb66716b7bf2e4fe73a405e0fbbae0806ce8b248a304
  • c379f4ab29a49d4bccb232c8551d1b8b01e64440ea495bbabef9010a519516c3
  • baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d
  • b5412375477a180608bf410f5cb36b4a0949bee7663648a06879f42be9a3b6bc
  • b5119a49830a2044f406645c261e54ab335c9b1e1ed320df758405a8147fae88
  • a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5
  • adde2970b40634e91b9ef8520f8e50eaa7901a65f9230e65d7995ac1a47700ef
  • a5b7ddd12539ce3e8c08bed5855ddcea3217d41d7d4c58fcc1a7e01336b38912
  • 97abafff549ea21797c135c965c5e4a46a44ec7353b2edd293e8a22d5954b6aa
  • 8f0e2b8b3e07f5761066cb00bc0db10d68c56ada8c054e9f07990cc1ac5ae962
  • 8be62324fe5af009c12fb9afc8d4f47d12c98ea680bff490b3f5e0c72c8f9617
  • 77361f7ef25a0185636a0fc6deff2e9986720223da9d6b1494f671082105bebb
  • 76f96a35b6f638eed779dc127f29a5b537ffc3bb7accc2c9bfab5a2120ea6bc9
  • 27fcc3278afbbec44737e9f72666946607fea819f5b1cb9fbbe268037a561f0b
  • 17064520feaf5804aa725e123b24fd0f73f8afc9b7f4361650cd11ddf4ee768f
  • 5.255.101.148
  • 31.41.244.92
  • https://visualstudiomacupdate.com
  • https://apple-ads-metric.com
  • apple-ads-metric.com
  • visualstudiomacupdate.com
Download all indicators here!

Attack Patterns

  • Koi Stealer
  • T1059.004
  • T1056.001
  • T1113
  • T1071.001
  • T1070.004
  • T1105
  • T1140
  • T1027