Monday, May 12, 2025
HomeBackdoorLazarus APT Group Attack Cryptocurrency Exchange using macOS Malware Under the Operation...

Lazarus APT Group Attack Cryptocurrency Exchange using macOS Malware Under the Operation AppleJeus

Published on

SIEM as a Service

Follow Us on Google News

A cyber espionage APT group called Lazarus hits the cryptocurrency exchanges using fake installer and macOS malware using variously sophisticated techniques.

Lazarus group widely known for cyber attacks against various financial institutions and they have successfully compromised several banks and other financial sectors.

In this case attackers targeting various platform and developing malware based on the targets and currently they are using new macOS malware to compromise the cryptocurrency exchange and this is the first time Lazarus APT using macOS malware.

- Advertisement - Google News

This attack is performing both windows as well as macOS platform  since many developers and engineers are switching to using macOS.

Attackers found a way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism.

This Malware distributed through this Celas LLC Tool, but researchers said,” We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism.

A researcher named this operation as AppleJeus because of the developer did this project under the name of Jeus.

Infection Process using macOS Malware 

The victim had been infected with the help of a trojanized cryptocurrency trading application and the user installed this program via a download link delivered over email.

Attackers distributing the malicious installer via update for a trading application called Celas Trade Pro which is one of the  legitimate-looking application developed by Celas Limited that is work as an all-in-one style cryptocurrency trading program.

But the installation package has performed a very suspicious updater at the end of the installation process where installer immediately runs the Updater.exe module with the “CheckUpdate” parameter.

Updater.exe is used to collect the victim’s host information and send it back to the server and the malware create a unique string for each infected system to the unique identifier of the infected Windows host.

In order to infect the macOS, A hidden updater called auto updater is being installed after the installation of trading program tool Celas.

Once the system rebooted then It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server.

According to kaspersky researchers,The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information.

later threat actor delivers the malicious payload and the main function of this malware is to implant the Fall chill backdoor loader linked to several files.

This backdoor contains full future to fully control the infected host and these backdoor capabilities are common as previous backdoors.

Also Read

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

New Stealthy .NET Malware Hiding Malicious Payloads Within Bitmap Resources

Cybersecurity researchers at Palo Alto Networks' Unit 42 have uncovered a novel obfuscation method...

Hackers Weaponizing Facebook Ads to Deploy Multi-Stage Malware Attacks

A persistent and highly sophisticated malvertising campaign on Facebook has been uncovered by Bitdefender...