North Korean hackers target macOS with trojanized apps to test security vulnerabilities

Security researchers have uncovered a new campaign by North Korean threat actors targeting Apple macOS systems through trojanized apps that masquerade as cryptocurrency-related Notepad applications and Minesweeper games. Developed using Google’s Flutter framework, these applications were deceptively signed and notarized using a legitimate Apple developer ID, allowing them to temporarily bypass Apple’s security checks, treat the apps as trusted, and execute them without restrictions.

 

Jamf Threat Labs, which identified this operation, reports that it appears to be a test of methods to bypass macOS defenses rather than a fully scaled, targeted attack. According to Ferdous Saljooki and Jaron Bradley of Jamf, the attackers are leveraging the versatility of Flutter-based applications, which are more difficult to detect due to malicious code embedded within a dynamic library (dylib) loaded at runtime by the Flutter engine. This approach allowed the apps to pass unnoticed through antivirus scans and macOS security controls.

 

The apps, first detected on VirusTotal in November 2024, appear innocent at face value but initiate “stage one” connections to servers tied to North Korean-linked domains. Among the trojanized apps discovered were “New Updates in Crypto Exchange (2024-08-28).app,” a Minesweeper game, and “Runner.app,” a Notepad-style app. All had cryptocurrency-focused themes, a hallmark of North Korean hackers’ intent to pursue financially motivated cyber activities.

 

Upon further inspection, Jamf found that the Minesweeper game’s obfuscated dylib code enabled AppleScript execution, allowing the malware to run scripts from a command and control (C2) server. Additionally, variants coded in Golang and Python, such as “New Era for Stablecoins and DeFi, CeFi (Protected).app,” were linked to the North Korean-controlled domain “mbupdate.linkpc[.]net,” indicating coordinated scripting functionality across multiple versions of the malicious software.

 

Jamf reports that Apple has since revoked the developer IDs and signatures for these applications, blocking them from bypassing macOS’s Gatekeeper protections on updated systems. Despite this mitigation, Jamf has yet to confirm whether these apps were part of real-world attacks or simply “in-the-wild” tests designed to probe macOS security.

 

Multiple variations of these apps suggest that North Korean actors are experimenting with evading security defenses rather than launching a targeted operation. The Jamf team underscores that while attacks embedding malware within Flutter-based applications are not new, this marks the first known instance of North Korean actors utilizing Flutter to target macOS devices. This tactic could signal evolving strategies by North Korean hackers, raising potential new security challenges for macOS users and Apple’s security protocols.