CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

ChillyHell macOS Backdoor Resurfaces with New Capabilities

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

The ChillyHell macOS backdoor malware, initially observed in 2022, has resurfaced with a new version. This modular backdoor allows attackers remote access and the ability to drop payloads, brute-force passwords, and evade detection. The malware, disguised as an executable applet, was discovered on VirusTotal and had been publicly hosted on Dropbox since 2021. The malware employs multiple persistence mechanisms and communicates over various protocols, making it highly flexible. It can exfiltrate data, drop additional payloads, and enumerate user accounts. Apple has revoked the notarization of the developer certificates associated with the malware. The resurgence of ChillyHell highlights the increasing threat landscape for macOS, emphasizing the need for robust security measures. A new Go-based remote access trojan (RAT) named ZynorRAT has been discovered, targeting Windows and Linux systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration and system enumeration.

Timeline

  1. 10.09.2025 16:04 πŸ“° 1 articles

    Discovery of ZynorRAT RAT Targeting Windows and Linux Systems

    A new Go-based remote access trojan (RAT) named ZynorRAT has been discovered, targeting Windows and Linux systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration, system enumeration, screenshot capture, and arbitrary command execution. The Windows version of ZynorRAT is near-identical to its Linux counterpart, indicating ongoing development. The malware is believed to be the work of a lone actor possibly of Turkish origin, given the language used in Telegram chats. ZynorRAT's customization and automated controls underline the evolving sophistication of modern malware, even within their earliest stages.

    Show sources
    Open in new tab
  2. 10.09.2025 14:59 πŸ“° 2 articles

    ChillyHell macOS Backdoor Resurfaces with Enhanced Capabilities

    The ChillyHell macOS backdoor malware, initially observed in 2022, has resurfaced with a new version. This version includes enhanced capabilities such as local password cracking and timestamping to evade detection. The malware was discovered on VirusTotal and had been publicly hosted on Dropbox since 2021. The malware employs multiple persistence mechanisms and can exfiltrate data, drop additional payloads, and enumerate user accounts. Apple has revoked the notarization of the developer certificates associated with the malware. The resurgence of ChillyHell highlights the increasing threat landscape for macOS. The malware is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities. ChillyHell communicates with hard-coded C2 servers over HTTP or DNS and uses timestomping to modify timestamps of created artifacts. It supports a wide range of commands, including launching a reverse shell, downloading new versions, fetching additional payloads, and conducting brute-force attacks. ChillyHell was notarized by Apple, highlighting that not all malicious code is unsigned.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344

A new ransomware strain, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application on the EFI System Partition. The ransomware has two main components: a bootkit and an installer. The bootkit handles encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC). The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain. It drops several files into the EFI System Partition, including configuration, validation, and encryption progress tracking files. The ransom note provides a 32-character key for decryption and system restoration upon payment. Indicators of compromise for HybridPetya are available on a GitHub repository. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday updates.

Open in new tab

RatOn Android Malware Evolves with NFC Relay and ATS Banking Fraud Capabilities

RatOn, an Android malware, has evolved to include NFC relay and Automated Transfer System (ATS) capabilities. It targets cryptocurrency wallet applications and performs account takeovers. RatOn was first detected in July 2025 and has been actively developed since. It uses fake Play Store listings to distribute malicious droppers, primarily targeting Czech and Slovakian-speaking users. RatOn requests extensive permissions to bypass Android security measures and downloads additional malware, including NFSkate, to perform NFC relay attacks. It can also display ransomware-like overlay screens and exfiltrate sensitive data from cryptocurrency apps. The malware's operators are suspected to be collaborating with local money mules.

Open in new tab

Threat Actor Linked to Play, RansomHub, and DragonForce Ransomware Operations

A threat actor has been identified as being connected to multiple ransomware-as-a-service (RaaS) operations, including Play, RansomHub, and DragonForce. The actor executed a sophisticated intrusion in September 2024, deploying various malware and tools to achieve persistence, escalate privileges, and exfiltrate data. The attack began with a malicious file disguised as DeskSoft’s EarthTime application, which deployed SectopRAT malware. The actor used multiple tools and techniques to evade detection and disable security features, including SystemBC, PowerShell scripts, and legitimate utilities like PsExec. The final goal appeared to be ransomware deployment, but no encryption was executed. Instead, data was archived and exfiltrated via FTP. The actor's toolset and techniques link them to three distinct RaaS operations, indicating a versatile and well-resourced threat actor.

Open in new tab

TOR-based Cryptojacking Campaign Targets Misconfigured Docker APIs

A new variant of a TOR-based cryptojacking campaign targets misconfigured Docker APIs to propagate malware. The attack chain involves exploiting exposed Docker instances to deploy XMRig miners and reconnaissance tools. The malware also scans for additional ports and attempts to propagate via Telnet and Chromium remote debugging ports. The campaign may be setting up a complex botnet. The attack leverages Base64-encoded payloads and TOR domains for anonymity. It includes a dropper written in Go that parses user login information and uses Masscan for further propagation. The malware's source code includes an emoji, suggesting it may have been crafted using a large language model (LLM). The attackers mount the host root to the fresh container, allowing them to manipulate the host system and escape the container. The attackers modify the SSH configuration of the host system to elevate privileges and provide backdoor access. The attackers create a cron job that executes every minute to block access to the Docker API’s port 2375, denying other attackers future access to the exposed instance. The threat actors deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The malware installs curl and tor, launches a Tor daemon, and waits for confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The malware appends an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem to enable persistent SSH access. The malware writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using available firewall utilities. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it, and runs it as a dropper. The Go binary parses the host’s utmp file to identify logged-in users. The malware attempts to infect other exposed Docker APIs and removes competitor containers after gaining access. The malware includes inactive logic for exploiting Telnet (port 23) using default router credentials and for interacting with Chrome’s remote debugging interface (port 9222). The malware's behavior suggests it is an initial version of a complex botnet with capabilities for lateral movement, persistence, and potential future expansion for credential theft and browser hijacking. The campaign highlights the importance of securing Docker APIs and segmenting networks to prevent such attacks.

Open in new tab

MostereRAT Malware Disables Security Tools, Targets Japanese Windows Users

A new malware campaign, tracked as MostereRAT, targets Japanese Windows users with sophisticated evasion techniques. MostereRAT disables antivirus and endpoint defenses, uses an obscure programming language, and abuses legitimate remote access tools to maintain persistent control over compromised systems. The malware's capabilities include privilege escalation, keylogging, data exfiltration, and the creation of hidden administrator accounts. The campaign's long-term objectives and the full extent of its impact remain unclear. MostereRAT employs Easy Programming Language (EPL) to evade detection and uses Windows Filtering Platform (WFP) filters to block security telemetry. The malware deploys legitimate remote access tools like AnyDesk, TigerVNC, and TightVNC, making it difficult to detect. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools to reduce the attack surface. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can run as TrustedInstaller, a built-in Windows system account with elevated permissions. MostereRAT can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool, facilitate RDP logins, and create hidden administrator accounts.

Open in new tab