Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems.
According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures.
CHILLYHELL is the name assigned to a malware that’s attributed to an uncategorized threat cluster dubbed UNC4487. The hacking group is assessed to have been active since at least October 2022.
According to threat intelligence shared by Google Mandiant, UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware.
The Apple device management company said it discovered a new CHILLYHELL sample uploaded to the VirusTotal malware scanning platform on May 2, 2025. The artifact, notarized by Apple back in 2021, is said to have been publicly hosted on Dropbox since then. Apple has since revoked the developer certificates linked to the malware.
Once executed, the malware extensively profiles the compromised host and establishes persistence using three different methods, following which it initializes command-and-control (C2) communication with a hard-coded server (93.88.75[.]252 or 148.72.172[.]53) over HTTP or DNS, and enters into a command loop to receive further instructions from its operators.
To set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon. As a backup mechanism, it alters the user’s shell profile (.zshrc, .bash_profile, or .profile) to inject a launch command into the configuration file.
A noteworthy tactic adopted by the malware is its use of timestomping to modify the timestamps of created artifacts to avoid raising red flags.
“If it does not have sufficient permission to update the timestamps by means of a direct system call, it will fall back to using shell commands touch -c -a -t and touch -c -m -t respectively, each with a formatted string representing a date from the past as an argument included at the end of the command,” Jamf researchers Ferdous Saljooki and Maggie Zirnhelt said.
CHILLYHELL supports a wide range of commands that allow it to launch a reverse shell to the C2 IP address, download a new version of the malware, fetch additional payloads, run a module named ModuleSUBF to enumerate user accounts from “/etc/passwd” and conduct brute-force attacks using a pre-defined password list retrieved from the C2 server.
“Between its multiple persistence mechanisms, ability to communicate over different protocols and modular structure, ChillyHell is extraordinarily flexible,” Jamf said. “Capabilities such as timestomping and password cracking make this sample an unusual find in the current macOS threat landscape.”
“Notably, ChillyHell was notarized and serves as an important reminder that not all…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
