Particle.news
Download on the App Store

Researchers Uncover Notarized macOS Backdoor and Cross-Platform RAT Using Telegram C2

Apple revoked the malware’s developer certificates after Jamf highlighted a notarized sample hosted since 2021.

Overview

  • Jamf Threat Labs found a new CHILLYHELL sample on VirusTotal on May 2, 2025 that had passed Apple notarization in 2021 and was publicly hosted on Dropbox.
  • CHILLYHELL profiles infected Macs, persists via LaunchAgent, LaunchDaemon or shell profile edits, communicates over HTTP or DNS, and supports reverse shells, payload delivery, /etc/passwd enumeration and brute-force attacks.
  • Researchers note evasion features such as timestomping and a decoy open of Google.com to reduce user suspicion.
  • Mandiant attributes CHILLYHELL activity to UNC4487, a suspected espionage cluster observed redirecting visitors from Ukrainian government-related sites to malware.
  • Separately, Sysdig detailed ZynorRAT, a Go-based RAT first seen on July 8, 2025 that uses a Telegram bot (@lraterrorsbot) for command-and-control, exfiltrates files, captures screenshots, persists via systemd on Linux, shows a developing Windows build, and distributes payloads via Dosya.co with indications of a likely lone author.