Pierluigi Paganini
January 22, 2024
Jamf Threat Labs researchers warned that pirated applications have been utilized to distribute a backdoor to Apple macOS users.
The researchers noticed that the apps appear similar to ZuRu malware, they allow operators to download and execute multiple payloads to compromise machines in the background.
The pirated applications discovered by Jamf Threat Labs are being hosted on Chinese pirating websites.
During their investigation, the researchers detected an executable name .fseventsd. The executable attempts to avoid detection by starting with a period and using the name of a process built into the operating system. It’s not signed by Apple, however, at the time of the research it was not detected by any anti-virus on VirusTotal.
Using VirusTotal, Jamf Threat Labs researchers discovered that the .fseventsd binary was initially uploaded as part of a larger DMG file. Further investigation on VirusTotal revealed three pirated applications that contained the same malware. The experts also discovered many pirated applications hosted on the Chinese website macyy[.]cn. The experts also identified two more trojanized DMGs following a similar pattern that had not been reported on VirusTotal.
The malware-laced DMG files include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.
Each pirated application included the following components:
“Each application bundle has had its Mach-O executable modified with an additional load command.” reads the analysis published by Jamf. “This technique of hooking malware in via malicious dylib is considered fairly advanced as far as macOS malware goes. However, it does result in breaking the application signature. As a result, the apps are being distributed online as unsigned applications — a detail that many users who are downloading pirated applications likely don’t care about.“
Upon executing the FinalShell.dmg application, the dylib library loads the backdoor “bd.log” and the downloader “fl01.log” from a remote server.
The bd.log backdoor is written to the path “/tmp/.test”, this executable remains hidden in the temporary directory and storing the malware in this folder will cause the deletion of the backdoor when the system shuts down.
The backdoor is written in this path every time the pirated application is loaded and the dropper is executed.
“The executable found at the directory /Users/Shared/.fseventsd acts as a persistent downloader, enabling the execution of arbitrary payloads retrieved from the attacker’s server.” continues the analysis.
The malware creates a LaunchAgent to maintain persistence and sends an HTTP GET request to the attacker’s server.
The researchers discovered many similarities between this malware and the ZuRu malware that has been active since at least 2021 [1], [2].
Both malware primarily targets victims in China.
“The ZuRu malware was originally found in pirated applications iTerm, SecureCRT, Navicat Premium and Microsoft Remote Desktop Client. Upon opening the infected application, the user was presented with an operational app, but logic held within an added dylib would execute a Python script in the background to grab sensitive files and upload them to an attacker server.” concludes the report. “It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, pirated applications)
Pierluigi Paganini
September 20, 2025
