cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

ALPHV ransomware group may be sniffing around Mac OS

Researchers find backdoor malware written in Rust, which overlaps with ALPHV/BlackCat infrastructure.

user icon David Hollingworth
Fri, 09 Feb 2024
ALPHV ransomware group may be sniffing around Mac OS
expand image

There’s a new backdoor doing the rounds in the wild, and it appears to be targeting Mac OS devices.

It’s written in the Rust programming language, and Bitdefender’s researchers are calling it Trojan.MAC.RustDoor.

But what makes it particularly noteworthy is that it shares three out of its four command and control servers with infrastructure observed to be used by the ALHPV ransomware gang, also known as BlackCat.


The backdoor itself impersonates a Visual Studio update and appears to have been in circulation since November 2023, while the latest sample that Bitdefender has seen was as recent as 2 February 2024.

There are three distinct variants of the backdoor, though they all share the same core code. All of them can extract and upload files from an infected machine while also creating a Victim ID in the code, used for later functionality.

The first version, Variant 1, appears to be a test version, while Variant 2 is slightly larger and includes an added JSON configuration and an Apple script. There are, again, multiple versions of this script, but all are focused on data extraction.

Finally, there’s a Variant Zero, the original build of the backdoor, which is both smaller and less complex.

The working version of the backdoor can be configured to impersonate several applications and to look for files of a particular type and size. It can also exclude certain directories. The malware maintains persistence through a number of methods, from using cronjobs to adding the binary to the system’s dock – something relatively rare in Mac OS backdoors.

Bitdefender’s investigation of Trojan.MAC.RustDoor is ongoing.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.